Commit d603304e authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

test: cookie attribute match is case-insensitive.

parent a0dfb228
...@@ -166,9 +166,9 @@ class TestFacebookLogin(ERP5TypeTestCase): ...@@ -166,9 +166,9 @@ class TestFacebookLogin(ERP5TypeTestCase):
self.portal.ERP5Site_callbackFacebookLogin(code=CODE) self.portal.ERP5Site_callbackFacebookLogin(code=CODE)
ac_cookie, = [v for (k, v) in response.listHeaders() if k.lower() == 'set-cookie' and '__ac_facebook_hash=' in v] ac_cookie, = [v for (k, v) in response.listHeaders() if k.lower() == 'set-cookie' and '__ac_facebook_hash=' in v]
self.assertIn('; Secure', ac_cookie) self.assertIn('; secure', ac_cookie.lower())
self.assertIn('; HttpOnly', ac_cookie) self.assertIn('; httponly', ac_cookie.lower())
self.assertIn('; SameSite=Lax', ac_cookie) self.assertIn('; samesite=lax', ac_cookie.lower())
def test_create_user_in_ERP5Site_createFacebookUserToOAuth(self): def test_create_user_in_ERP5Site_createFacebookUserToOAuth(self):
""" """
......
...@@ -215,9 +215,9 @@ class TestGoogleLogin(GoogleLoginTestCase): ...@@ -215,9 +215,9 @@ class TestGoogleLogin(GoogleLoginTestCase):
getUserEntry_mock.assert_called_once() getUserEntry_mock.assert_called_once()
ac_cookie, = [v for (k, v) in response.listHeaders() if k.lower() == 'set-cookie' and '__ac_google_hash=' in v] ac_cookie, = [v for (k, v) in response.listHeaders() if k.lower() == 'set-cookie' and '__ac_google_hash=' in v]
self.assertIn('; Secure', ac_cookie) self.assertIn('; secure', ac_cookie.lower())
self.assertIn('; HttpOnly', ac_cookie) self.assertIn('; httponly', ac_cookie.lower())
self.assertIn('; SameSite=Lax', ac_cookie) self.assertIn('; samesite=lax', ac_cookie.lower())
def test_create_user_in_ERP5Site_createGoogleUserToOAuth(self): def test_create_user_in_ERP5Site_createGoogleUserToOAuth(self):
""" """
......
...@@ -134,9 +134,9 @@ class TestOpenIdConnectLogin(OpenIdConnectLoginTestCase): ...@@ -134,9 +134,9 @@ class TestOpenIdConnectLogin(OpenIdConnectLoginTestCase):
getUserEntry_mock.assert_called_once() getUserEntry_mock.assert_called_once()
ac_cookie, = [v for (k, v) in response.listHeaders() if k.lower() == 'set-cookie' and '__ac_openidconnect_hash=' in v] ac_cookie, = [v for (k, v) in response.listHeaders() if k.lower() == 'set-cookie' and '__ac_openidconnect_hash=' in v]
self.assertIn('; Secure', ac_cookie) self.assertIn('; secure', ac_cookie.lower())
self.assertIn('; HttpOnly', ac_cookie) self.assertIn('; httponly', ac_cookie.lower())
self.assertIn('; SameSite=Lax', ac_cookie) self.assertIn('; samesite=lax', ac_cookie.lower())
def test_existing_user(self): def test_existing_user(self):
state=uuid.uuid4().hex state=uuid.uuid4().hex
......
...@@ -1586,7 +1586,7 @@ class TestAuthenticationCookie(UserManagementTestCase): ...@@ -1586,7 +1586,7 @@ class TestAuthenticationCookie(UserManagementTestCase):
self.assertIn('; Secure', ac_cookie) self.assertIn('; Secure', ac_cookie)
# HttpOnly flag so that javascript cannot access cookie # HttpOnly flag so that javascript cannot access cookie
self.assertIn('; HttpOnly', ac_cookie) self.assertIn('; httponly', ac_cookie.lower())
# SameSite=Lax flag so that cookie is not sent on cross origin requests. # SameSite=Lax flag so that cookie is not sent on cross origin requests.
# We set Lax (and not strict) so that opening a link to ERP5 from an # We set Lax (and not strict) so that opening a link to ERP5 from an
......
  • Ah yes :) this is a better approach than 6754a00b and we could push this in master already

Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment