1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
use Mojo::Base -strict;
BEGIN { $ENV{MOJO_REACTOR} = 'Mojo::Reactor::Poll' }
use Test::Mojo;
use Test::More;
use Mojo::Util;
use Mojolicious::Lite;
app->secrets(['test1']);
get '/login' => sub {
my $c = shift;
$c->session(user => 'sri');
$c->render(text => 'logged in');
};
get '/session' => sub {
my $c = shift;
my $user = $c->session->{user} // 'nobody';
$c->render(text => "user:$user");
};
get '/logout' => sub {
my $c = shift;
delete $c->session->{user};
$c->render(text => 'logged out');
};
my $t = Test::Mojo->new;
subtest 'User session (signed cookie)' => sub {
is $t->app->sessions->encrypted, undef, 'not encrypted by default';
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
$t->get_ok('/login')->status_is(200)->content_is('logged in');
$t->get_ok('/session')->status_is(200)->content_is('user:sri');
like $t->tx->res->cookies->[0]->value, qr/^[^-]+-+[^-]+$/, 'signed cookie format';
$t->get_ok('/session')->status_is(200)->content_is('user:sri');
$t->get_ok('/logout')->status_is(200)->content_is('logged out');
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
};
subtest 'User session (encrypted cookie)' => sub {
plan skip_all => 'CryptX required!' unless Mojo::Util->CRYPTX;
$t->reset_session;
$t->app->sessions->encrypted(1);
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
$t->get_ok('/login')->status_is(200)->content_is('logged in');
$t->get_ok('/session')->status_is(200)->content_is('user:sri');
like $t->tx->res->cookies->[0]->value, qr/^[^-]+-[^-]+-[^-]+$/, 'encrypted cookie format';
$t->get_ok('/session')->status_is(200)->content_is('user:sri');
$t->get_ok('/logout')->status_is(200)->content_is('logged out');
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
};
subtest 'Rotating secrets' => sub {
subtest 'User session (signed cookie)' => sub {
$t->reset_session;
$t->app->secrets(['test1']);
$t->app->sessions->encrypted(0);
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
$t->get_ok('/login')->status_is(200)->content_is('logged in');
$t->get_ok('/session')->status_is(200)->content_is('user:sri');
$t->app->secrets(['test2', 'test1']);
$t->get_ok('/session')->status_is(200)->content_is('user:sri');
$t->get_ok('/logout')->status_is(200)->content_is('logged out');
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
};
subtest 'User session (encrypted cookie)' => sub {
plan skip_all => 'CryptX required!' unless Mojo::Util->CRYPTX;
$t->reset_session;
$t->app->secrets(['test1']);
$t->app->sessions->encrypted(1);
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
$t->get_ok('/login')->status_is(200)->content_is('logged in');
$t->get_ok('/session')->status_is(200)->content_is('user:sri');
$t->app->secrets(['test2', 'test1']);
$t->get_ok('/session')->status_is(200)->content_is('user:sri');
$t->get_ok('/logout')->status_is(200)->content_is('logged out');
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
$t->get_ok('/session')->status_is(200)->content_is('user:nobody');
};
};
done_testing();
|
