From 2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 9 Nov 2022 13:20:28 -0500
Subject: [PATCH] fix: pass csrf_token into calls to /register/abort, #11017

---
 test/api.js         | 2 +-
 test/controllers.js | 6 ++++--
 test/user.js        | 5 +++--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/test/api.js b/test/api.js
index ab8094cc76..cc13650770 100644
--- a/test/api.js
+++ b/test/api.js
@@ -485,7 +485,7 @@ describe('API', async () => {
 					const affectedPaths = ['GET /api/user/{userslug}/edit/email'];
 					if (affectedPaths.includes(`${method.toUpperCase()} ${path}`)) {
 						await request({
-							uri: `${nconf.get('url')}/register/abort`,
+							uri: `${nconf.get('url')}/register/abort?_csrf=${csrfToken}`,
 							method: 'POST',
 							jar,
 							simple: false,
diff --git a/test/controllers.js b/test/controllers.js
index bb7cdedc7b..f255380446 100644
--- a/test/controllers.js
+++ b/test/controllers.js
@@ -1237,8 +1237,10 @@ describe('Controllers', () => {
 
 	describe('account pages', () => {
 		let jar;
+		let csrf_token;
+
 		before(async () => {
-			({ jar } = await helpers.loginUser('foo', 'barbar'));
+			({ jar, csrf_token } = await helpers.loginUser('foo', 'barbar'));
 		});
 
 		it('should redirect to account page with logged in user', (done) => {
@@ -1802,7 +1804,7 @@ describe('Controllers', () => {
 			assert.strictEqual(res.body, '/register/complete');
 
 			await requestAsync({
-				uri: `${nconf.get('url')}/register/abort`,
+				uri: `${nconf.get('url')}/register/abort?_csrf=${csrf_token}`,
 				method: 'post',
 				jar,
 				simple: false,
diff --git a/test/user.js b/test/user.js
index 1a8971f258..176ee82827 100644
--- a/test/user.js
+++ b/test/user.js
@@ -814,6 +814,7 @@ describe('User', () => {
 	describe('profile methods', () => {
 		let uid;
 		let jar;
+		let csrf_token;
 
 		before(async () => {
 			const newUid = await User.create({ username: 'updateprofile', email: 'update@me.com', password: '123456' });
@@ -822,7 +823,7 @@ describe('User', () => {
 			await User.setUserField(uid, 'email', 'update@me.com');
 			await User.email.confirmByUid(uid);
 
-			({ jar } = await helpers.loginUser('updateprofile', '123456'));
+			({ jar, csrf_token } = await helpers.loginUser('updateprofile', '123456'));
 		});
 
 		it('should return error if not logged in', async () => {
@@ -1287,7 +1288,7 @@ describe('User', () => {
 
 			// Accessing this page will mark the user's account as needing an updated email, below code undo's.
 			await requestAsync({
-				uri: `${nconf.get('url')}/register/abort`,
+				uri: `${nconf.get('url')}/register/abort?_csrf=${csrf_token}`,
 				jar,
 				method: 'POST',
 				simple: false,