Add missing validation on token refresh mutation (saleor#8288)

legendofporg · Oct 6, 2021 · 34cbc95 · 34cbc95
1 parent 4645ae9
commit 34cbc95
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 4 deletions.
diff --git a/saleor/graphql/account/mutations/authentication.py b/saleor/graphql/account/mutations/authentication.py
@@ -185,7 +185,7 @@ def clean_refresh_token(cls, refresh_token):
         if not refresh_token:
             raise ValidationError(
                 {
-                    "refreshToken": ValidationError(
+                    "refresh_token": ValidationError(
                         "Missing refreshToken",
                         code=AccountErrorCode.JWT_MISSING_TOKEN.value,
                     )
@@ -195,7 +195,7 @@ def clean_refresh_token(cls, refresh_token):
         if payload["type"] != JWT_REFRESH_TYPE:
             raise ValidationError(
                 {
-                    "refreshToken": ValidationError(
+                    "refresh_token": ValidationError(
                         "Incorrect refreshToken",
                         code=AccountErrorCode.JWT_INVALID_TOKEN.value,
                     )
@@ -205,11 +205,21 @@ def clean_refresh_token(cls, refresh_token):
 
     @classmethod
     def clean_csrf_token(cls, csrf_token, payload):
+        if not csrf_token:
+            msg = "CSRF token is required when refreshToken is provided by the cookie"
+            raise ValidationError(
+                {
+                    "csrf_token": ValidationError(
+                        msg,
+                        code=AccountErrorCode.REQUIRED.value,
+                    )
+                }
+            )
         is_valid = _compare_masked_tokens(csrf_token, payload["csrfToken"])
         if not is_valid:
             raise ValidationError(
                 {
-                    "csrfToken": ValidationError(
+                    "csrf_token": ValidationError(
                         "Invalid csrf token",
                         code=AccountErrorCode.JWT_INVALID_CSRF_TOKEN.value,
                     )
@@ -221,7 +231,7 @@ def get_user(cls, payload):
         try:
             user = get_user(payload)
         except ValidationError as e:
-            raise ValidationError({"refreshToken": e})
+            raise ValidationError({"refresh_token": e})
         return user
 
     @classmethod

diff --git a/saleor/graphql/account/tests/mutations/test_token_refresh.py b/saleor/graphql/account/tests/mutations/test_token_refresh.py
@@ -20,6 +20,7 @@
             token
             errors{
               code
+              field
             }
         }
     }
@@ -128,6 +129,26 @@ def test_access_app_token_used_as_a_refresh_token(api_client, app, customer_user
     assert errors[0]["code"] == AccountErrorCode.JWT_INVALID_TOKEN.name
 
 
+def test_refresh_token_get_token_missing_csrf_token(api_client, customer_user):
+    csrf_token = _get_new_csrf_token()
+    refresh_token = create_refresh_token(customer_user, {"csrfToken": csrf_token})
+    variables = {"token": None}
+    api_client.cookies[JWT_REFRESH_TOKEN_COOKIE_NAME] = refresh_token
+    api_client.cookies[JWT_REFRESH_TOKEN_COOKIE_NAME]["httponly"] = True
+    response = api_client.post_graphql(MUTATION_TOKEN_REFRESH, variables)
+    content = get_graphql_content(response)
+
+    data = content["data"]["tokenRefresh"]
+    errors = data["errors"]
+
+    token = data.get("token")
+    assert not token
+
+    assert len(errors) == 1
+    assert errors[0]["code"] == AccountErrorCode.REQUIRED.name
+    assert errors[0]["field"] == "csrfToken"
+
+
 def test_refresh_token_get_token_incorrect_csrf_token(api_client, customer_user):
     csrf_token = _get_new_csrf_token()
     refresh_token = create_refresh_token(customer_user, {"csrfToken": csrf_token})