View source | View content page | Page history | Printable version   

Projects:CSRF Token/QA

Unit tests

A test case (CSRFAttackTest) is included to verify that requests are protected against CSRF attacks. In both tests, they attempt to create a Product. If no CSRF token is introduced (a potential attack), request should be rejected. If it is included, Product should be created normally.

This protection should be completely transparent to the user, so all Selenium tests should work as expected with no changes.

For retail tests, AuthenticatedPOSRequestTest were created to allow testing isolated REST requests to a live POS instance. This infrastructure were used to create POSCsrfAttackTest, which is a test similar of what is implemented for the backoffice.

Performance

A critical step performance-wise is when processing the POST request body to extract the CSRF Token. Two approaches can be taken to achieve this:

After comparing the performance of both approaches, the regex is significantly faster than the JSON parse, even more if the response string is large. To make the regex evaluation even faster, the pattern is only compiled the first time it is used and then it is stored for future usages.

Code review

https://docs.google.com/spreadsheets/d/1Q8cABvlY7ibP9vdEMT0SoDAUtm6WNR5mPi-I76tofww/edit?ts=5b728b6b#gid=0

Retrieved from "http://wiki.openbravo.com/wiki/Projects:CSRF_Token/QA"

This page has been accessed 678 times. This page was last modified on 11 September 2018, at 09:12. Content is available under Creative Commons Attribution-ShareAlike 2.5 Spain License.