discourse/spec/integration/multisite_cookies_spec.rb

# frozen_string_literal: true

RSpec.describe 'multisite', type: [:multisite, :request] do
  it "works" do
    get "http://test.localhost/session/csrf.json"
    expect(response.status).to eq(200)
    cookie = CGI.escape(response.cookies["_forum_session"])
    id1 = session["session_id"]

    get "http://test.localhost/session/csrf.json", headers: { "Cookie" => "_forum_session=#{cookie};" }
    expect(response.status).to eq(200)
    id2 = session["session_id"]

    expect(id1).to eq(id2)

    get "http://test2.localhost/session/csrf.json", headers: { "Cookie" => "_forum_session=#{cookie};" }
    expect(response.status).to eq(200)
    id3 = session["session_id"]

    # Session cookie was rejected and rotated
    expect(id2).not_to eq(id3)
  end
end
SECURITY: Ensure _forum_session cookies cannot be reused between sites (#14950) This only affects multisite Discourse instances (where multiple forums are served from a single application server). The vast majority of self-hosted Discourse forums do not fall into this category. On affected instances, this vulnerability could allow encrypted session cookies to be re-used between sites served by the same application instance. 2021-11-15 15:50:12 +00:00			`# frozen_string_literal: true`

Add RSpec 4 compatibility (#17652) * Remove outdated option https://github.com/rspec/rspec-core/commit/04078317ba6577699d06cf4dccf014254dcde7a6 * Use the non-globally exposed RSpec syntax https://github.com/rspec/rspec-core/pull/2803 * Use the non-globally exposed RSpec syntax, cont https://github.com/rspec/rspec-core/pull/2803 * Comply to strict predicate matchers See: - https://github.com/rspec/rspec-expectations/pull/1195 - https://github.com/rspec/rspec-expectations/pull/1196 - https://github.com/rspec/rspec-expectations/pull/1277 2022-07-28 05:27:38 +03:00			`RSpec.describe 'multisite', type: [:multisite, :request] do`
SECURITY: Ensure _forum_session cookies cannot be reused between sites (#14950) This only affects multisite Discourse instances (where multiple forums are served from a single application server). The vast majority of self-hosted Discourse forums do not fall into this category. On affected instances, this vulnerability could allow encrypted session cookies to be re-used between sites served by the same application instance. 2021-11-15 15:50:12 +00:00			`it "works" do`
			`get "http://test.localhost/session/csrf.json"`
			`expect(response.status).to eq(200)`
DEV: Apply Rails 6.1 defaults We never applied `config.load_defaults` since its inception (Rails 5.0) and doing so is necessary to properly upgrade to all the Rails 7 new defaults. 2022-05-19 16:58:31 +02:00			`cookie = CGI.escape(response.cookies["_forum_session"])`
SECURITY: Ensure _forum_session cookies cannot be reused between sites (#14950) This only affects multisite Discourse instances (where multiple forums are served from a single application server). The vast majority of self-hosted Discourse forums do not fall into this category. On affected instances, this vulnerability could allow encrypted session cookies to be re-used between sites served by the same application instance. 2021-11-15 15:50:12 +00:00			`id1 = session["session_id"]`

			`get "http://test.localhost/session/csrf.json", headers: { "Cookie" => "_forum_session=#{cookie};" }`
			`expect(response.status).to eq(200)`
			`id2 = session["session_id"]`

			`expect(id1).to eq(id2)`

			`get "http://test2.localhost/session/csrf.json", headers: { "Cookie" => "_forum_session=#{cookie};" }`
			`expect(response.status).to eq(200)`
			`id3 = session["session_id"]`

			`# Session cookie was rejected and rotated`
			`expect(id2).not_to eq(id3)`
			`end`
			`end`