From 6727a1c8da4bf9156b4ba3ee57f8de06a2a38760 Mon Sep 17 00:00:00 2001
From: usbharu <64310155+usbharu@users.noreply.github.com>
Date: Thu, 30 Nov 2023 23:11:09 +0900
Subject: [PATCH] =?UTF-8?q?fix:=20POST:=20/api/v1/accounts=E3=81=AB?=
 =?UTF-8?q?=E5=AF=BE=E3=81=99=E3=82=8B=E3=83=AA=E3=82=AF=E3=82=A8=E3=82=B9?=
 =?UTF-8?q?=E3=83=88=E3=81=ABCSRF=E3=83=88=E3=83=BC=E3=82=AF=E3=83=B3?=
 =?UTF-8?q?=E3=81=8C=E5=BF=85=E9=A0=88=E3=81=AB?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../kotlin/mastodon/account/AccountApiTest.kt | 26 ++++++++++++++++++-
 .../application/config/SecurityConfig.kt      |  2 +-
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/src/intTest/kotlin/mastodon/account/AccountApiTest.kt b/src/intTest/kotlin/mastodon/account/AccountApiTest.kt
index b08e2cc5..fb8d66c6 100644
--- a/src/intTest/kotlin/mastodon/account/AccountApiTest.kt
+++ b/src/intTest/kotlin/mastodon/account/AccountApiTest.kt
@@ -129,12 +129,36 @@ class AccountApiTest {
         mockMvc
             .post("/api/v1/accounts") {
                 contentType = MediaType.APPLICATION_FORM_URLENCODED
-                param("username", "api-test-user-3")
+                param("username", "api-test-user-4")
                 with(SecurityMockMvcRequestPostProcessors.csrf())
             }
             .andExpect { status { isBadRequest() } }
     }
 
+    @Test
+    @WithAnonymousUser
+    fun apiV1AccountsPostでJSONで作ろうとしても400() {
+        mockMvc
+            .post("/api/v1/accounts") {
+                contentType = MediaType.APPLICATION_JSON
+                content = """{"username":"api-test-user-5","password":"very-very-secure-password"}"""
+                with(SecurityMockMvcRequestPostProcessors.csrf())
+            }
+            .andExpect { status { isUnsupportedMediaType() } }
+    }
+
+    @Test
+    @WithAnonymousUser
+    fun apiV1AccountsPostにCSRFトークンは必要() {
+        mockMvc
+            .post("/api/v1/accounts") {
+                contentType = MediaType.APPLICATION_FORM_URLENCODED
+                param("username", "api-test-user-2")
+                param("password", "very-secure-password")
+            }
+            .andExpect { status { isForbidden() } }
+    }
+
     companion object {
         @JvmStatic
         @AfterAll
diff --git a/src/main/kotlin/dev/usbharu/hideout/application/config/SecurityConfig.kt b/src/main/kotlin/dev/usbharu/hideout/application/config/SecurityConfig.kt
index fb2e86ec..be0d6919 100644
--- a/src/main/kotlin/dev/usbharu/hideout/application/config/SecurityConfig.kt
+++ b/src/main/kotlin/dev/usbharu/hideout/application/config/SecurityConfig.kt
@@ -190,7 +190,7 @@ class SecurityConfig {
             }
 
             csrf {
-                ignoringRequestMatchers("/users/*/inbox", "/inbox", "/api/v1/apps", "/api/v1/accounts")
+                ignoringRequestMatchers("/users/*/inbox", "/inbox", "/api/v1/apps")
             }
 
             headers {