From 10949184cafc2edc5de178c4972b6396c723bb31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Thu, 20 Jan 2022 18:22:10 -0500
Subject: [PATCH] test: add failing guest csrf test (#10169)

* test: add failing guest csrf test

* test: use correct var

* fix: use applyCsrf for guests as well
---
 src/middleware/user.js |  8 ++++----
 test/topics.js         | 44 ++++++++++++++++++++++++++++++++++++------
 2 files changed, 42 insertions(+), 10 deletions(-)

diff --git a/src/middleware/user.js b/src/middleware/user.js
index f43b77c060..827e1e204a 100644
--- a/src/middleware/user.js
+++ b/src/middleware/user.js
@@ -42,12 +42,12 @@ module.exports = function (middleware) {
 			return true;
 		}
 
-		if (req.loggedIn) {
+		if (res.locals.isAPI && (req.loggedIn || !req.headers.hasOwnProperty('authorization'))) {
 			// If authenticated via cookie (express-session), protect routes with CSRF checking
-			if (res.locals.isAPI) {
-				await middleware.applyCSRFasync(req, res);
-			}
+			await middleware.applyCSRFasync(req, res);
+		}
 
+		if (req.loggedIn) {
 			return true;
 		} else if (req.headers.hasOwnProperty('authorization')) {
 			const user = await passportAuthenticateAsync(req, res);
diff --git a/test/topics.js b/test/topics.js
index b53e90f69e..8eeb821ce5 100644
--- a/test/topics.js
+++ b/test/topics.js
@@ -130,17 +130,41 @@ describe('Topic\'s', () => {
 			});
 		});
 
-		it('should fail to post a topic as guest if no privileges', async () => {
+		it('should fail to post a topic as guest with invalid csrf_token', async () => {
 			const categoryObj = await categories.create({
 				name: 'Test Category',
 				description: 'Test category created by testing script',
 			});
+			await privileges.categories.give(['groups:topics:create'], categoryObj.cid, 'guests');
+			await privileges.categories.give(['groups:topics:reply'], categoryObj.cid, 'guests');
 			const result = await requestType('post', `${nconf.get('url')}/api/v3/topics`, {
 				form: {
 					title: 'just a title',
 					cid: categoryObj.cid,
 					content: 'content for the main post',
 				},
+				headers: {
+					'x-csrf-token': 'invalid',
+				},
+				json: true,
+			});
+			assert.strictEqual(result.res.statusCode, 403);
+			assert.strictEqual(result.body, 'Forbidden');
+		});
+
+		it('should fail to post a topic as guest if no privileges', async () => {
+			const categoryObj = await categories.create({
+				name: 'Test Category',
+				description: 'Test category created by testing script',
+			});
+			const jar = request.jar();
+			const result = await helpers.request('post', `/api/v3/topics`, {
+				form: {
+					title: 'just a title',
+					cid: categoryObj.cid,
+					content: 'content for the main post',
+				},
+				jar: jar,
 				json: true,
 			});
 			assert.strictEqual(result.body.status.message, 'You do not have enough privileges for this action.');
@@ -154,12 +178,14 @@ describe('Topic\'s', () => {
 			await privileges.categories.give(['groups:topics:create'], categoryObj.cid, 'guests');
 			await privileges.categories.give(['groups:topics:reply'], categoryObj.cid, 'guests');
 
-			const result = await requestType('post', `${nconf.get('url')}/api/v3/topics`, {
+			const jar = request.jar();
+			const result = await helpers.request('post', `/api/v3/topics`, {
 				form: {
 					title: 'just a title',
 					cid: categoryObj.cid,
 					content: 'content for the main post',
 				},
+				jar: jar,
 				json: true,
 			});
 
@@ -167,10 +193,11 @@ describe('Topic\'s', () => {
 			assert.strictEqual(result.body.response.title, 'just a title');
 			assert.strictEqual(result.body.response.user.username, '[[global:guest]]');
 
-			const replyResult = await requestType('post', `${nconf.get('url')}/api/v3/topics/${result.body.response.tid}`, {
+			const replyResult = await helpers.request('post', `/api/v3/topics/${result.body.response.tid}`, {
 				form: {
 					content: 'a reply by guest',
 				},
+				jar: jar,
 				json: true,
 			});
 			assert.strictEqual(replyResult.body.response.content, 'a reply by guest');
@@ -186,13 +213,14 @@ describe('Topic\'s', () => {
 			await privileges.categories.give(['groups:topics:reply'], categoryObj.cid, 'guests');
 			const oldValue = meta.config.allowGuestHandles;
 			meta.config.allowGuestHandles = 1;
-			const result = await requestType('post', `${nconf.get('url')}/api/v3/topics`, {
+			const result = await helpers.request('post', `/api/v3/topics`, {
 				form: {
 					title: 'just a title',
 					cid: categoryObj.cid,
 					content: 'content for the main post',
 					handle: 'guest123',
 				},
+				jar: request.jar(),
 				json: true,
 			});
 
@@ -201,11 +229,12 @@ describe('Topic\'s', () => {
 			assert.strictEqual(result.body.response.user.username, 'guest123');
 			assert.strictEqual(result.body.response.user.displayname, 'guest123');
 
-			const replyResult = await requestType('post', `${nconf.get('url')}/api/v3/topics/${result.body.response.tid}`, {
+			const replyResult = await helpers.request('post', `/api/v3/topics/${result.body.response.tid}`, {
 				form: {
 					content: 'a reply by guest',
 					handle: 'guest124',
 				},
+				jar: request.jar(),
 				json: true,
 			});
 			assert.strictEqual(replyResult.body.response.content, 'a reply by guest');
@@ -2715,7 +2744,10 @@ describe('Topic\'s', () => {
 
 		it('should allow guests to reply if privilege is given', async () => {
 			await privileges.categories.give(['groups:topics:schedule'], categoryObj.cid, 'guests');
-			const response = await requestType('post', `${nconf.get('url')}/api/v3/topics/${topicData.tid}`, replyData);
+			const response = await helpers.request('post', `/api/v3/topics/${topicData.tid}`, {
+				...replyData,
+				jar: request.jar(),
+			});
 			assert.strictEqual(response.body.response.content, 'a reply by guest');
 			assert.strictEqual(response.body.response.user.username, '[[global:guest]]');
 		});