@@ -8,7 +8,7 @@ const lusca = require('lusca');
88
99const request = ( server , { cookie, headers, method = 'GET' , path = '/' } = { } ) => new Promise ( ( resolve , reject ) => {
1010 const req = http . request ( {
11- headers : { ...( cookie ? { cookie } : { } ) , ...headers } ,
11+ headers : { 'x-forwarded-proto' : 'https' , ...( cookie ? { cookie } : { } ) , ...headers } ,
1212 host : '127.0.0.1' ,
1313 method,
1414 path,
@@ -19,6 +19,7 @@ const request = (server, { cookie, headers, method = 'GET', path = '/' } = {}) =
1919 res . on ( 'end' , ( ) => resolve ( {
2020 body : body ? JSON . parse ( body ) : null ,
2121 cookie : res . headers [ 'set-cookie' ] && res . headers [ 'set-cookie' ] [ 0 ] . split ( ';' ) [ 0 ] ,
22+ setCookie : res . headers [ 'set-cookie' ] && res . headers [ 'set-cookie' ] [ 0 ] ,
2223 status : res . statusCode ,
2324 } ) ) ;
2425 } ) ;
@@ -31,7 +32,17 @@ describe('CSRF protection', () => {
3132
3233 beforeEach ( ( done ) => {
3334 const app = express ( ) ;
34- app . use ( session ( { resave : false , saveUninitialized : false , secret : 'test-secret' } ) ) ;
35+ app . set ( 'trust proxy' , 1 ) ;
36+ app . use ( session ( {
37+ cookie : {
38+ httpOnly : true ,
39+ sameSite : 'strict' ,
40+ secure : true ,
41+ } ,
42+ resave : false ,
43+ saveUninitialized : false ,
44+ secret : 'test-secret' ,
45+ } ) ) ;
3546 app . use ( lusca . csrf ( ) ) ;
3647 app . get ( '/csrf-token' , ( req , res ) => res . json ( { csrfToken : req . csrfToken ( ) } ) ) ;
3748 app . post ( '/change' , ( req , res ) => res . json ( { changed : true } ) ) ;
@@ -51,6 +62,7 @@ describe('CSRF protection', () => {
5162 expect ( tokenResponse . status ) . toBe ( 200 ) ;
5263 expect ( tokenResponse . body . csrfToken ) . toEqual ( expect . any ( String ) ) ;
5364 expect ( tokenResponse . cookie ) . toEqual ( expect . stringContaining ( 'connect.sid=' ) ) ;
65+ expect ( tokenResponse . setCookie ) . toEqual ( expect . stringContaining ( 'Secure' ) ) ;
5466
5567 expect ( await request ( server , {
5668 cookie : tokenResponse . cookie ,
0 commit comments