>
> But if you're going to write a Facebook killer, you'll be missing a way
> to test protected parts of your site because it's hard to calculate
> cookies manually.
>
Which is why you don't create cookies manually, the client side is not
supposed to touch them.
Right now it's impossible (or very hard) to test what's going on because
> routes are protected (we have to encrypt cookie manually and get somehow
> a csrf_token)
>
No, you are not supposed to do that, those are artifical test cases that
have no relation to what your users see in the real world.
> Of course, You can do it something like this (a weird way):
>
> # log in and find csrf_token in the html output
> $t->get_ok('/')->post('/login', form => {pass => 'pass', login =>
> 'login'});
> my $csrf = $t->ua->get('/')->res->dom->at('#csrf')->text;
>
But this is a realistic test, you are actually testing what your users are
working with. Many applications specifically set the X-CSRF-Token header to
make life easier for API clients.
--
sebastian
--
You received this message because you are subscribed to the Google Groups
"Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
