discourse/spec/integration/multisite_cookies_spec.rb

# frozen_string_literal: true

RSpec.describe "multisite", type: %i[multisite request] do
  let!(:first_host) { get "http://test.localhost/session/csrf.json" }

  it "works" do
    get "http://test.localhost/session/csrf.json"
    expect(response).to have_http_status :ok
    cookie = CGI.escape(response.cookies["_forum_session"])
    id1 = session["session_id"]

    get "http://test.localhost/session/csrf.json",
        headers: {
          "Cookie" => "_forum_session=#{cookie};",
        }
    expect(response).to have_http_status :ok
    id2 = session["session_id"]

    expect(id1).to eq(id2)

    get "http://test2.localhost/session/csrf.json",
        headers: {
          "Cookie" => "_forum_session=#{cookie};",
        }
    expect(response).to have_http_status :ok
    id3 = session["session_id"]

    # Session cookie was rejected and rotated
    expect(id2).not_to eq(id3)
  end

  describe "Cookies rotator" do
    let!(:rotations) { request.cookies_rotations }
    let(:second_host) { get "http://test2.localhost/session/csrf.json" }
    let(:global_rotations) { Rails.application.config.action_dispatch.cookies_rotations }

    it "adds different rotations for different hosts" do
      first_host
      expect(request.cookies_rotations).to have_attributes signed: rotations.signed,
                      encrypted: rotations.encrypted

      second_host
      expect(request.cookies_rotations).not_to have_attributes signed: rotations.signed,
                      encrypted: rotations.encrypted
    end

    it "doesn't change global rotations" do
      second_host
      expect(global_rotations).to have_attributes signed: [], encrypted: []
    end
  end
end
SECURITY: Ensure _forum_session cookies cannot be reused between sites (#14950) This only affects multisite Discourse instances (where multiple forums are served from a single application server). The vast majority of self-hosted Discourse forums do not fall into this category. On affected instances, this vulnerability could allow encrypted session cookies to be re-used between sites served by the same application instance. 2021-11-15 10:50:12 -05:00			`# frozen_string_literal: true`

Add RSpec 4 compatibility (#17652) * Remove outdated option https://github.com/rspec/rspec-core/commit/04078317ba6577699d06cf4dccf014254dcde7a6 * Use the non-globally exposed RSpec syntax https://github.com/rspec/rspec-core/pull/2803 * Use the non-globally exposed RSpec syntax, cont https://github.com/rspec/rspec-core/pull/2803 * Comply to strict predicate matchers See: - https://github.com/rspec/rspec-expectations/pull/1195 - https://github.com/rspec/rspec-expectations/pull/1196 - https://github.com/rspec/rspec-expectations/pull/1277 2022-07-27 22:27:38 -04:00			`RSpec.describe "multisite", type: %i[multisite request] do`
DEV: Migrate existing cookies to Rails 7 format This patch introduces a cookies rotator as indicated in the Rails upgrade guide. This allows to migrate from the old SHA1 digest to the new SHA256 digest. 2022-05-19 10:58:31 -04:00			`let!(:first_host) { get "http://test.localhost/session/csrf.json" }`

SECURITY: Ensure _forum_session cookies cannot be reused between sites (#14950) This only affects multisite Discourse instances (where multiple forums are served from a single application server). The vast majority of self-hosted Discourse forums do not fall into this category. On affected instances, this vulnerability could allow encrypted session cookies to be re-used between sites served by the same application instance. 2021-11-15 10:50:12 -05:00			`it "works" do`
			`get "http://test.localhost/session/csrf.json"`
DEV: Migrate existing cookies to Rails 7 format This patch introduces a cookies rotator as indicated in the Rails upgrade guide. This allows to migrate from the old SHA1 digest to the new SHA256 digest. 2022-05-19 10:58:31 -04:00			`expect(response).to have_http_status :ok`
DEV: Apply Rails 6.1 defaults We never applied `config.load_defaults` since its inception (Rails 5.0) and doing so is necessary to properly upgrade to all the Rails 7 new defaults. 2022-05-19 10:58:31 -04:00			`cookie = CGI.escape(response.cookies["_forum_session"])`
SECURITY: Ensure _forum_session cookies cannot be reused between sites (#14950) This only affects multisite Discourse instances (where multiple forums are served from a single application server). The vast majority of self-hosted Discourse forums do not fall into this category. On affected instances, this vulnerability could allow encrypted session cookies to be re-used between sites served by the same application instance. 2021-11-15 10:50:12 -05:00			`id1 = session["session_id"]`

			`get "http://test.localhost/session/csrf.json",`
			`headers: {`
			`"Cookie" => "_forum_session=#{cookie};",`
			`}`
DEV: Migrate existing cookies to Rails 7 format This patch introduces a cookies rotator as indicated in the Rails upgrade guide. This allows to migrate from the old SHA1 digest to the new SHA256 digest. 2022-05-19 10:58:31 -04:00			`expect(response).to have_http_status :ok`
SECURITY: Ensure _forum_session cookies cannot be reused between sites (#14950) This only affects multisite Discourse instances (where multiple forums are served from a single application server). The vast majority of self-hosted Discourse forums do not fall into this category. On affected instances, this vulnerability could allow encrypted session cookies to be re-used between sites served by the same application instance. 2021-11-15 10:50:12 -05:00			`id2 = session["session_id"]`

			`expect(id1).to eq(id2)`

			`get "http://test2.localhost/session/csrf.json",`
			`headers: {`
			`"Cookie" => "_forum_session=#{cookie};",`
			`}`
DEV: Migrate existing cookies to Rails 7 format This patch introduces a cookies rotator as indicated in the Rails upgrade guide. This allows to migrate from the old SHA1 digest to the new SHA256 digest. 2022-05-19 10:58:31 -04:00			`expect(response).to have_http_status :ok`
SECURITY: Ensure _forum_session cookies cannot be reused between sites (#14950) This only affects multisite Discourse instances (where multiple forums are served from a single application server). The vast majority of self-hosted Discourse forums do not fall into this category. On affected instances, this vulnerability could allow encrypted session cookies to be re-used between sites served by the same application instance. 2021-11-15 10:50:12 -05:00			`id3 = session["session_id"]`

			`# Session cookie was rejected and rotated`
			`expect(id2).not_to eq(id3)`
			`end`
DEV: Migrate existing cookies to Rails 7 format This patch introduces a cookies rotator as indicated in the Rails upgrade guide. This allows to migrate from the old SHA1 digest to the new SHA256 digest. 2022-05-19 10:58:31 -04:00
			`describe "Cookies rotator" do`
			`let!(:rotations) { request.cookies_rotations }`
			`let(:second_host) { get "http://test2.localhost/session/csrf.json" }`
			`let(:global_rotations) { Rails.application.config.action_dispatch.cookies_rotations }`

			`it "adds different rotations for different hosts" do`
			`first_host`
			`expect(request.cookies_rotations).to have_attributes signed: rotations.signed,`
			`encrypted: rotations.encrypted`

			`second_host`
			`expect(request.cookies_rotations).not_to have_attributes signed: rotations.signed,`
			`encrypted: rotations.encrypted`
			`end`

			`it "doesn't change global rotations" do`
			`second_host`
			`expect(global_rotations).to have_attributes signed: [], encrypted: []`
			`end`
			`end`
SECURITY: Ensure _forum_session cookies cannot be reused between sites (#14950) This only affects multisite Discourse instances (where multiple forums are served from a single application server). The vast majority of self-hosted Discourse forums do not fall into this category. On affected instances, this vulnerability could allow encrypted session cookies to be re-used between sites served by the same application instance. 2021-11-15 10:50:12 -05:00			`end`