usbharu
/
Hideout
mirror of https://github.com/usbharu/Hideout.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

fix: POST: /api/v1/accountsに対するリクエストにCSRFトークンが必須に

This commit is contained in:
usbharu 2023-11-30 23:11:09 +09:00
parent 50415688d5
commit 6727a1c8da
2 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/intTest/kotlin/mastodon/account/AccountApiTest.kt
View File

@ -129,12 +129,36 @@ class AccountApiTest {
mockMvc
.post("/api/v1/accounts") {
contentType = MediaType.APPLICATION_FORM_URLENCODED
param("username", "api-test-user-3")
param("username", "api-test-user-4")
with(SecurityMockMvcRequestPostProcessors.csrf())
}
.andExpect { status { isBadRequest() } }
}
@Test
@WithAnonymousUser
fun apiV1AccountsPostでJSONで作ろうとしても400() {
mockMvc
.post("/api/v1/accounts") {
contentType = MediaType.APPLICATION_JSON
content = """{"username":"api-test-user-5","password":"very-very-secure-password"}"""
with(SecurityMockMvcRequestPostProcessors.csrf())
}
.andExpect { status { isUnsupportedMediaType() } }
}
@Test
@WithAnonymousUser
fun apiV1AccountsPostにCSRFトークンは必要() {
mockMvc
.post("/api/v1/accounts") {
contentType = MediaType.APPLICATION_FORM_URLENCODED
param("username", "api-test-user-2")
param("password", "very-secure-password")
}
.andExpect { status { isForbidden() } }
}
companion object {
@JvmStatic
@AfterAll

2
src/main/kotlin/dev/usbharu/hideout/application/config/SecurityConfig.kt
View File

@ -190,7 +190,7 @@ class SecurityConfig {
}
csrf {
ignoringRequestMatchers("/users/*/inbox", "/inbox", "/api/v1/apps", "/api/v1/accounts")
ignoringRequestMatchers("/users/*/inbox", "/inbox", "/api/v1/apps")
}
headers {