SAP · tsaleksandrova · Feb 8, 2021 · Mar 2, 2021 · maximnaidenov · Mar 4, 2021
diff --git a/docs/usage/api.md b/docs/usage/api.md
@@ -58,6 +58,9 @@ request.get(restServiceMockUrl +'/usersWithAuth')
   .auth('<user>','<password>').do();
 ```
 
+## CSRF Tokens
+// ---todo
+
 # OData Helpers
 Full OData ORM is out of scope but the following samples can simplify basic OData scenarios. For better oData support, please use [TBD]().
 

diff --git a/e2e/scenario/api.spec.js b/e2e/scenario/api.spec.js
@@ -10,7 +10,7 @@ describe('API tests', function() {
             appMock = app;
         })
     });
-    
+
     afterAll(() => {
         appMock.server.close();
     });

diff --git a/e2e/scenario/fixture/api.spec.js b/e2e/scenario/fixture/api.spec.js
@@ -77,5 +77,23 @@ describe('api', function() {
     var res = request.get(restServiceMockUrl +'/usersWithAuth').auth('testUser','testPass');
     expect(res).toHaveHTTPBody({status: 'Authenticated'});
   });
-
+
+  it('Should set csrf token', function () {
+    request.post(restServiceMockUrl + '/form').send({
+      field: 'value'
+    }).do().catch(function (err) {
+      expect(err.status).toBe(403);
+    });
+
+    request.authenticate(new CsrfAuthenticator({
+      csrfFetchUrl: restServiceMockUrl + '/form'
+    }));
+
+    request.post(restServiceMockUrl + '/form').send({
+      field: 'value'
+    }).do().then(function (res) {
+      expect(res.status).toBe(200);
+    });
+  });
+
 });
diff --git a/e2e/scenario/fixture/mock/apiServiceMock.js b/e2e/scenario/fixture/mock/apiServiceMock.js
@@ -1,8 +1,14 @@
 var express = require('express');
-var bodyParser = require('body-parser')
+var bodyParser = require('body-parser');
+var cookieParser = require('cookie-parser');
+var csrf = require('csurf');
 
 module.exports = function() {
   var app = express();
+  // will also use a _csrf cookie (secret) and validate against it
+  var csrfProtection = csrf({
+    cookie: true
+  });
 
   var response = 1;
   app.get('/user/', function(req, res) {
@@ -68,5 +74,32 @@ module.exports = function() {
     res.send({deleted: req.params.user});
   });
 
+  app.use(cookieParser());
+  app.use(function (err, req, res, next) {
+    if (err.code === 'EBADCSRFTOKEN') {
+      // CSRF token error
+      res.status(403);
+      res.send('form tampered with');
+    } else {
+      return next();
+    }
+  });
+
+  app.get('/form', csrfProtection, function (req, res) {
+    if (req.headers['x-csrf-token'].toLowerCase() === 'fetch') {
+      var csrfToken = req.csrfToken();
+      res.set('x-csrf-token', csrfToken);
+      res.send({
+        csrfToken: csrfToken
+      });
+    } else {
+      res.sendStatus(200);
+    }
+  });
+
+  app.post('/form', csrfProtection, function (req, res) {
+    res.send('data is being processed')
+  });
+
   return app;
 };
diff --git a/e2e/scenario/fixture/mock/mockServer.js b/e2e/scenario/fixture/mock/mockServer.js
@@ -0,0 +1,4 @@
+var Runner = require('../../../Runner');
+var restServiceMock = require('./apiServiceMock');
+
+Runner.startApp(restServiceMock);
diff --git a/package.json b/package.json
@@ -29,6 +29,8 @@
     "yargs": "^3.8.0"
   },
   "devDependencies": {
+    "cookie-parser": "^1.4.5",
+    "csurf": "^1.11.0",
     "eslint": "^5.2.0",
     "express": "^4.13.4",
     "grunt": "^1.0.2",

diff --git a/src/api/csrfAuthenticator.js b/src/api/csrfAuthenticator.js
@@ -0,0 +1,39 @@
+var logger = require('../logger')(3);
+
+var CSRF_HEADER = 'x-csrf-token';
+
+function CsrfAuthenticator(options){
+  options = options || {};
+  this.user = options.user;
+  this.pass = options.pass;
+  this.csrfHeader = options.csrfHeader;
+  this.csrfFetchUrl = options.csrfFetchUrl;
+}
+
+CsrfAuthenticator.prototype.authenticate = function () {
+  var that = this;
+  if (this.csrfFetchUrl) {
+    return request.get(this.csrfFetchUrl)
+      .set(CSRF_HEADER, 'Fetch')
+      .do()
+      .then(function (res) {
+        if (res.headers[CSRF_HEADER]) {
+          that.csrfHeader = res.headers[CSRF_HEADER];
+        } else {
+          logger.error('Cannot generate CSRF token: missing X-CSRF-Token header');
+        }
+      }).catch(function (err) {
+        logger.error('Error in generating CSRF token. Details: ' + err);
+      });
+  }
+};
+
+CsrfAuthenticator.prototype.modifyCall = function (req) {
+  if (this.csrfHeader) {
+    req.set(CSRF_HEADER, this.csrfHeader);
+  }
+  // superagent will add the cookies e.g. _csrf cookie
+  return req;
+};
+
+module.exports = CsrfAuthenticator;
diff --git a/src/api/requestPlugin.js b/src/api/requestPlugin.js
@@ -1,5 +1,5 @@
 var superagent = require('superagent');
-
+var CsrfAuthenticator = require('./csrfAuthenticator');
 function RequestPlugin() {
 
 }
@@ -16,7 +16,20 @@ RequestPlugin.prototype.setup = function() {
     };
   };
 
-  global.request = superagent.agent().use(flow);
+  var request = superagent.agent().use(flow);
+
+  request.authenticate = function (authenticator) {
+    var originalPost = request.post;
+    request.post = function () {
+      authenticator.modifyCall(this);
+      return originalPost.apply(this, arguments);
+    };
+
+    return authenticator.authenticate();
+  };
+
+  global.request = request;
+  global.CsrfAuthenticator = CsrfAuthenticator;
 };
 
 module.exports = function () {