type1fool
How to resolve "csrf_attack" failure when testing a Ueberauth controller?
@yordisprieto Firstly, shout out to you and the other maintainers for Ueberauth! Implementing Google OAuth was quite easy thanks to this package.
I’m attempting to write tests for the callback in a Phoenix application, and I can’t get past a Ueberauth.Failure.Error. I have been digging through docs for Ueberauth, Plug.Conn, and Phoenix.Controller, and I didn’t see any tests in ueberauth_example.
When the server is running, I can successfully authenticate with Google, so I’m just blocked on the test. My conn/controller chops are a little rusty since I’m usually writing LiveView code, so I wouldn’t be surprised if there’s a non-Ueberauth-specific solution here. I tried manually setting _csrf_token in the conn session before calling get/2, but that didn’t work.
How does one put a CSRF token on a conn during testing?
Test code
defmodule MyAppWeb.AuthenticationTest do
@moduledoc false
alias MyApp.AuthenticationFixtures
alias MyApp.Identity.User
alias MyApp.IdentityFixtures
use MyAppWeb.ConnCase, async: true
use Plug.Test
describe "callback/2" do
test "starts session for valid user", %{conn: conn} do
%User{email: email} = IdentityFixtures.user_fixture()
auth = AuthenticationFixtures.auth_attrs(email: email)
conn = get(conn, ~p"/auth/google/callback", ueberauth_auth: auth)
assert redirected_to(conn, 302) == ~p"/"
end
end
end
Error
%Ueberauth.Failure{
provider: :google,
strategy: Ueberauth.Strategy.Google,
errors: [
%Ueberauth.Failure.Error{
message_key: "csrf_attack",
message: "Cross-Site Request Forgery attack"
}
]
}
Most Liked
yordisprieto
Hey, sorry for the delay, I was on vacation until now,
Adding a cookie called uerberauth.state_param ueberauth/lib/ueberauth/strategy.ex at ede44472dd1a331c12f089d47da96067523457d1 · ueberauth/ueberauth · GitHub would work
Adding that cookie as part of the request again so that the following check passes ueberauth/lib/ueberauth/strategy.ex at ede44472dd1a331c12f089d47da96067523457d1 · ueberauth/ueberauth · GitHub
yordisprieto
Honestly, by now, I wish to redo Ueberauth; you are not the only one with a skill issue
I need to dig more into it, I also remember that I did not decide to make the state generator be able to be deterministic (meaning swap the implementation in testing) to keep thing simple; I guess it is the time to add such thing.
I need to find the time to help you on this one, and probably, help the entire ueberauth ecosystem







