haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update API documentation to take the nonce/token switchover into account.

Browse Source
This commit is contained in:
Maximilian Tagher 2015-01-27 19:55:36 -08:00
parent 94af9c6bdd
commit e26f6f5fbe
1 changed files with 12 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
yesod-test/Yesod/Test.hs
View File

@ -16,9 +16,9 @@ visited page. You can perform assertions on the content of HTML responses,
using CSS selectors to explore the document more easily.
You can also easily build requests using forms present in the current page.
This is very useful for testing web applications built in yesod for example,
were your forms may have field names generated by the framework or a randomly
generated '_token' field.
This is very useful for testing web applications built in yesod, for example,
where your forms may have field names generated by the framework or a randomly
generated CSRF token input.
Your database is also directly available so you can use 'runDB' to set up
backend pre-conditions, or to assert that your session is having the desired effect.
@ -66,13 +66,13 @@ module Yesod.Test
, byLabel
, fileByLabel
-- *** Nonces
-- *** CSRF Tokens
-- | In order to prevent CSRF exploits, yesod-form adds a hidden input
-- to your forms with the name "_token". This token is a randomly generated,
-- per-session value called a /nonce/.
-- per-session value.
--
-- In order to prevent your forms from being rejected in tests, use one of
-- these functions to add the nonce to your request.
-- these functions to add the token to your request.
, addToken
, addToken_
, addNonce
@ -565,13 +565,13 @@ addNonce :: RequestBuilder site ()
addNonce = addToken
{-# DEPRECATED addNonce "Use 'addToken' instead; 'addNonce' will be removed in the next major version. Reasoning: Yesod's CSRF tokens are not actually nonces (one-time values), so yesod-form moved to calling them tokens instead. yesod-test is now using the word token as well. See https://github.com/yesodweb/yesod/issues/914 for details." #-}
-- | Lookup a _token form field and add its value to the params.
-- Receives a CSS selector that should resolve to the form element containing the nonce.
-- | Lookups the hidden input named "_token" and adds its value to the params.
-- Receives a CSS selector that should resolve to the form element containing the token.
--
-- ==== __Examples__
--
-- > request $ do
-- > addNonce_ "#formID"
-- > addToken_ "#formID"
addToken_ :: Query -> RequestBuilder site ()
addToken_ scope = do
matches <- htmlQuery' rbdResponse $ scope <> "input[name=_token][type=hidden][value]"
@ -580,13 +580,12 @@ addToken_ scope = do
element:[] -> addPostParam "_token" $ head $ attribute "value" $ parseHTML element
_ -> failure $ "More than one CSRF token found in the page"
-- | Lookup a _token form field and add its value to the params.
-- Receives a CSS selector that should resolve to the form element containing the nonce.
-- | For responses that display a single form, just lookup the only CSRF token available.
--
-- ==== __Examples__
--
-- > request $ do
-- > addNonce_ "#formID"
-- > addToken
addToken :: RequestBuilder site ()
addToken = addToken_ ""
@ -712,7 +711,7 @@ addRequestHeader header = ST.modify $ \rbd -> rbd
-- ==== __Examples__
--
-- > request $ do
-- > addNonce
-- > addToken
-- > byLabel "First Name" "Felipe"
-- > setMethod "PUT"
-- > setUrl NameR