diff --git a/test/test.js b/test/test.js index 2d4fa81..f0c13fc 100644 --- a/test/test.js +++ b/test/test.js @@ -89,64 +89,159 @@ describe('Cookie Session', function () { describe('when options.signed = true', function () { describe('when options.keys are set', function () { - it('should work', function (done) { - var app = connect() - app.use(session({ - keys: ['a', 'b'] - })) - app.use(function (req, res, next) { + before(function () { + this.app = connect() + this.app.use(session({ keys: ['a', 'b'] })) + this.app.use('/get', function (req, res) { + res.setHeader('Content-Type', 'application/json') + res.end(JSON.stringify(req.session)) + }) + this.app.use('/set', function (req, res) { req.session.message = 'hi' res.end() }) + }) - request(app) - .get('/') + it('should set cookie signature', function (done) { + request(this.app) + .get('/set') + .expect(shouldHaveCookie('session')) + .expect(shouldHaveCookie('session.sig')) .expect(200, '', done) }) + + it('should set cookie signature with first key', function (done) { + request(this.app) + .get('/set') + .expect(shouldHaveCookieWithValue('session', 'eyJtZXNzYWdlIjoiaGkifQ==')) + .expect(shouldHaveCookieWithValue('session.sig', 'vdp2-kj-91tgzbWcV1QzofT3hu0')) + .expect(200, '', done) + }) + + it('should accept session with signature', function (done) { + request(this.app) + .get('/get') + .set('Cookie', 'session=eyJtZXNzYWdlIjoiaGkifQ==; session.sig=vdp2-kj-91tgzbWcV1QzofT3hu0') + .expect(200, { message: 'hi' }, done) + }) + + it('should accept session with secondary signature', function (done) { + request(this.app) + .get('/get') + .set('Cookie', 'session=eyJtZXNzYWdlIjoiaGkifQ==; session.sig=SiRRAEncekXEzVdvey_7SkWaMM4') + .expect(200, { message: 'hi' }, done) + }) + + it('should reject session with invalid signature', function (done) { + request(this.app) + .get('/get') + .set('Cookie', 'session=eyJtZXNzYWdlIjoiaGkifQ==; session.sig=foobar') + .expect(200, {}, done) + }) + + it('should reject session with no signature', function (done) { + request(this.app) + .get('/get') + .set('Cookie', 'session=eyJtZXNzYWdlIjoiaGkifQ==') + .expect(200, {}, done) + }) }) describe('when options.secret is set', function () { - it('should work', function (done) { - var app = connect() - app.use(session({ - secret: 'a' - })) - app.use(function (req, res, next) { + before(function () { + this.app = connect() + this.app.use(session({ secret: 'a' })) + this.app.use('/get', function (req, res) { + res.setHeader('Content-Type', 'application/json') + res.end(JSON.stringify(req.session)) + }) + this.app.use('/set', function (req, res) { req.session.message = 'hi' res.end() }) + }) - request(app) - .get('/') + it('should set cookie signature', function (done) { + request(this.app) + .get('/set') + .expect(shouldHaveCookie('session')) + .expect(shouldHaveCookie('session.sig')) .expect(200, '', done) }) + + it('should set cookie signature with only key', function (done) { + request(this.app) + .get('/set') + .expect(shouldHaveCookieWithValue('session', 'eyJtZXNzYWdlIjoiaGkifQ==')) + .expect(shouldHaveCookieWithValue('session.sig', 'vdp2-kj-91tgzbWcV1QzofT3hu0')) + .expect(200, '', done) + }) + + it('should accept session with signature', function (done) { + request(this.app) + .get('/get') + .set('Cookie', 'session=eyJtZXNzYWdlIjoiaGkifQ==; session.sig=vdp2-kj-91tgzbWcV1QzofT3hu0') + .expect(200, { message: 'hi' }, done) + }) + + it('should reject session with invalid signature', function (done) { + request(this.app) + .get('/get') + .set('Cookie', 'session=eyJtZXNzYWdlIjoiaGkifQ==; session.sig=foobar') + .expect(200, {}, done) + }) + + it('should reject session with no signature', function (done) { + request(this.app) + .get('/get') + .set('Cookie', 'session=eyJtZXNzYWdlIjoiaGkifQ==') + .expect(200, {}, done) + }) }) describe('when options.keys are not set', function () { it('should throw', function () { assert.throws(function () { session() - }) + }, /\.keys required/) }) }) }) describe('when options.signed = false', function () { - describe('when app.keys are not set', function () { - it('should work', function (done) { - var app = connect() - app.use(session({ - signed: false - })) - app.use(function (req, res, next) { - req.session.message = 'hi' - res.end() - }) - - request(app) - .get('/') - .expect(200, done) + before(function () { + this.app = connect() + this.app.use(session({ signed: false })) + this.app.use('/get', function (req, res) { + res.setHeader('Content-Type', 'application/json') + res.end(JSON.stringify(req.session)) }) + this.app.use('/set', function (req, res) { + req.session.message = 'hi' + res.end() + }) + }) + + it('should not set cookie signature', function (done) { + request(this.app) + .get('/set') + .expect(shouldHaveCookie('session')) + .expect(shouldNotHaveCookie('session.sig')) + .expect(200, done) + }) + + it('should accept session without signature', function (done) { + request(this.app) + .get('/get') + .set('Cookie', 'session=eyJtZXNzYWdlIjoiaGkifQ==') + .expect(200, { message: 'hi' }, done) + }) + + it('should accept session with invalid signature', function (done) { + request(this.app) + .get('/get') + .set('Cookie', 'session=eyJtZXNzYWdlIjoiaGkifQ==; session.sig=foobar') + .expect(200, { message: 'hi' }, done) }) }) @@ -557,6 +652,12 @@ function shouldHaveCookieWithValue (name, value) { } } +function shouldNotHaveCookie (name) { + return function (res) { + assert.ok(!(name in cookies(res)), 'should not have cookie "' + name + '"') + } +} + function shouldNotSetCookies () { return function (res) { assert.strictEqual(res.headers['set-cookie'], undefined, 'should not set cookies')