mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-05-13 17:46:02 +00:00
7cd26a0583
Some checks are pending
Release 3X-UI / build (386) (push) Waiting to run
Release 3X-UI / build (amd64) (push) Waiting to run
Release 3X-UI / build (arm64) (push) Waiting to run
Release 3X-UI / build (armv5) (push) Waiting to run
Release 3X-UI / build (armv6) (push) Waiting to run
Release 3X-UI / build (armv7) (push) Waiting to run
Release 3X-UI / build (s390x) (push) Waiting to run
Release 3X-UI / Build for Windows (push) Waiting to run
121 lines
3.5 KiB
Go
121 lines
3.5 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/mhsanaei/3x-ui/v3/web/session"
|
|
|
|
"github.com/gin-contrib/sessions"
|
|
"github.com/gin-contrib/sessions/cookie"
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
func TestCSRFMiddlewareAllowsSafeMethods(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
router := gin.New()
|
|
router.Use(CSRFMiddleware())
|
|
router.GET("/safe", func(c *gin.Context) {
|
|
c.String(http.StatusOK, "ok")
|
|
})
|
|
|
|
rec := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/safe", nil)
|
|
router.ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK)
|
|
}
|
|
}
|
|
|
|
func TestCSRFMiddlewareRejectsMissingTokenAndAcceptsValidToken(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
router := gin.New()
|
|
store := cookie.NewStore([]byte("01234567890123456789012345678901"))
|
|
router.Use(sessions.Sessions("3x-ui", store))
|
|
router.GET("/token", func(c *gin.Context) {
|
|
token, err := session.EnsureCSRFToken(c)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
c.String(http.StatusOK, token)
|
|
})
|
|
router.POST("/submit", CSRFMiddleware(), func(c *gin.Context) {
|
|
c.String(http.StatusOK, "ok")
|
|
})
|
|
|
|
tokenRec := httptest.NewRecorder()
|
|
tokenReq := httptest.NewRequest(http.MethodGet, "/token", nil)
|
|
router.ServeHTTP(tokenRec, tokenReq)
|
|
if tokenRec.Code != http.StatusOK {
|
|
t.Fatalf("token status = %d, want %d", tokenRec.Code, http.StatusOK)
|
|
}
|
|
cookies := tokenRec.Result().Cookies()
|
|
token := tokenRec.Body.String()
|
|
|
|
missingRec := httptest.NewRecorder()
|
|
missingReq := httptest.NewRequest(http.MethodPost, "/submit", nil)
|
|
for _, cookie := range cookies {
|
|
missingReq.AddCookie(cookie)
|
|
}
|
|
router.ServeHTTP(missingRec, missingReq)
|
|
if missingRec.Code != http.StatusForbidden {
|
|
t.Fatalf("missing token status = %d, want %d", missingRec.Code, http.StatusForbidden)
|
|
}
|
|
|
|
validRec := httptest.NewRecorder()
|
|
validReq := httptest.NewRequest(http.MethodPost, "/submit", nil)
|
|
for _, cookie := range cookies {
|
|
validReq.AddCookie(cookie)
|
|
}
|
|
validReq.Header.Set(session.CSRFHeaderName, token)
|
|
router.ServeHTTP(validRec, validReq)
|
|
if validRec.Code != http.StatusOK {
|
|
t.Fatalf("valid token status = %d, want %d", validRec.Code, http.StatusOK)
|
|
}
|
|
}
|
|
|
|
func TestSecurityHeadersMiddleware(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
router := gin.New()
|
|
router.Use(SecurityHeadersMiddleware(true))
|
|
router.GET("/", func(c *gin.Context) {
|
|
c.String(http.StatusOK, "ok")
|
|
})
|
|
|
|
rec := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
router.ServeHTTP(rec, req)
|
|
|
|
headers := rec.Result().Header
|
|
if got := headers.Get("X-Content-Type-Options"); got != "nosniff" {
|
|
t.Fatalf("X-Content-Type-Options = %q", got)
|
|
}
|
|
if got := headers.Get("X-Frame-Options"); got != "DENY" {
|
|
t.Fatalf("X-Frame-Options = %q", got)
|
|
}
|
|
if got := headers.Get("Referrer-Policy"); got != "no-referrer" {
|
|
t.Fatalf("Referrer-Policy = %q", got)
|
|
}
|
|
if got := headers.Get("Strict-Transport-Security"); got == "" {
|
|
t.Fatal("Strict-Transport-Security should be set for direct HTTPS")
|
|
}
|
|
}
|
|
|
|
func TestSecurityHeadersMiddlewareSkipsHSTSWithoutDirectHTTPS(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
router := gin.New()
|
|
router.Use(SecurityHeadersMiddleware(false))
|
|
router.GET("/", func(c *gin.Context) {
|
|
c.String(http.StatusOK, "ok")
|
|
})
|
|
|
|
rec := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
router.ServeHTTP(rec, req)
|
|
|
|
if got := rec.Result().Header.Get("Strict-Transport-Security"); got != "" {
|
|
t.Fatalf("Strict-Transport-Security = %q, want empty", got)
|
|
}
|
|
}
|