device-bound-session-credentials/refresh-replaces-config.https.html - external/github.com/web-platform-tests/wpt - Git at Google

 <!DOCTYPE html>
 <meta charset="utf-8">
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script src="helper.js" type="module"></script>

 <script type="module">
   import { expireCookie, waitForCookie, addCookieAndSessionCleanup, configureServer, setupShardedServerState, documentHasCookie } from "./helper.js";

   promise_test(async t => {
     await setupShardedServerState();
     const expectedCookieAndValue1 = "auth_cookie=abcdef0123";
     const expectedCookieAndAttributes1 = `${expectedCookieAndValue1};Domain=${location.hostname};Path=/device-bound-session-credentials`;
     const expectedCookieAndValue2 = "other_cookie=ghijkl4567";
     const expectedCookieAndAttributes2 = `${expectedCookieAndValue2};Domain=${location.hostname};Path=/device-bound-session-credentials`;
     addCookieAndSessionCleanup(t);

     // Prompt starting a session, and wait until registration completes.
     const loginResponse = await fetch('login.py');
     assert_equals(loginResponse.status, 200);
     await waitForCookie(expectedCookieAndValue1, /*expectCookie=*/true);

     // Confirm that a request has the cookie set.
     const authResponse = await fetch('verify_authenticated.py');
     assert_equals(authResponse.status, 200);
     // Confirm that a request does not have alternate cookie set.
     const alternateAuthResponse = await fetch('verify_authenticated.py', {
       method: 'POST',
       body: expectedCookieAndValue2
     });
     assert_equals(alternateAuthResponse.status, 403);

     // Configure server to change the cookie in the session config on next refresh.
     await configureServer({ cookieDetails: [{ nameAndValue: expectedCookieAndValue2 }] });

     // Expire the first cookie and send a request, which triggers the refresh with the new session config.
     expireCookie(expectedCookieAndAttributes1);
     assert_false(documentHasCookie(expectedCookieAndValue1));
     const authResponseAfterExpiry1 = await fetch('verify_authenticated.py');
     assert_equals(authResponseAfterExpiry1.status, 403);
     assert_false(documentHasCookie(expectedCookieAndValue1));

     // Confirm the alternate cookie is set and included in requests. This should
     // not trigger refresh. Note that because a session can only refresh a
     // request once, if the refresh endpoint is correctly setting cookies for
     // the new config, but the browser rejects the config, it won't be visible
     // from the cookie state. Terminating the session if it refreshes when it
     // shouldn't creates a state change we can see.
     await configureServer({ shouldRefreshEndSession: true });
     assert_true(documentHasCookie(expectedCookieAndValue2));
     const alternateAuthResponseAfterExpiry1 = await fetch('verify_authenticated.py', {
       method: 'POST',
       body: expectedCookieAndValue2
     });
     assert_equals(alternateAuthResponseAfterExpiry1.status, 200);

     // Restore the server configuration so we can test that the new config does
     // refresh when expected.
     await configureServer({ shouldRefreshEndSession: false });

     // Expire the second cookie. Confirm the second cookie is refreshed, and not the first.
     expireCookie(expectedCookieAndAttributes2);
     assert_false(documentHasCookie(expectedCookieAndValue2));
     const alternateAuthResponseAfterExpiry2 = await fetch('verify_authenticated.py', {
       method: 'POST',
       body: expectedCookieAndValue2
     });
     assert_equals(alternateAuthResponseAfterExpiry2.status, 200);
     assert_true(documentHasCookie(expectedCookieAndValue2));
     assert_false(documentHasCookie(expectedCookieAndValue1));
   }, "Refresh can replace session config");

   promise_test(async t => {
     await setupShardedServerState();
     const expectedCookieAndValue = "auth_cookie=abcdef0123";
     const expectedCookieAndAttributes = `${expectedCookieAndValue};Domain=${location.hostname};Path=/device-bound-session-credentials`;
     addCookieAndSessionCleanup(t);

     // Prompt starting a session, and wait until registration completes.
     const loginResponse = await fetch('login.py');
     assert_equals(loginResponse.status, 200);
     await waitForCookie(expectedCookieAndValue, /*expectCookie=*/true);

     // Confirm that a request has the cookie set.
     const authResponse = await fetch('verify_authenticated.py');
     assert_equals(authResponse.status, 200);

     // Configure server to change the session identifier in the session config on next refresh.
     await configureServer({ responseSessionIdOverride: 12345 });

     // Expire the first cookie and send a request, which triggers the refresh with the new session config.
     expireCookie(expectedCookieAndAttributes);
     assert_false(documentHasCookie(expectedCookieAndValue));
     const authResponseAfterExpiry = await fetch('verify_authenticated.py');

     // The first refresh request will give us a new cookie, but will also cause the session to be terminated.
     assert_true(documentHasCookie(expectedCookieAndValue));
     assert_equals(authResponseAfterExpiry.status, 200);

     // Now that the session is terminated, refresh should not give us a new cookie.
     expireCookie(expectedCookieAndAttributes);
     assert_false(documentHasCookie(expectedCookieAndValue));
     const authResponseAfterTermination = await fetch('verify_authenticated.py');
     assert_equals(authResponseAfterTermination.status, 403);

     // Because refresh failed, we still do not have the cookie
     assert_false(documentHasCookie(expectedCookieAndValue));
   }, "Refresh cannot replace session identifier");
 </script>
	<!DOCTYPE html>
	<meta charset="utf-8">
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<script src="helper.js" type="module"></script>

	<script type="module">
	import { expireCookie, waitForCookie, addCookieAndSessionCleanup, configureServer, setupShardedServerState, documentHasCookie } from "./helper.js";

	promise_test(async t => {
	await setupShardedServerState();
	const expectedCookieAndValue1 = "auth_cookie=abcdef0123";
	const expectedCookieAndAttributes1 = `${expectedCookieAndValue1};Domain=${location.hostname};Path=/device-bound-session-credentials`;
	const expectedCookieAndValue2 = "other_cookie=ghijkl4567";
	const expectedCookieAndAttributes2 = `${expectedCookieAndValue2};Domain=${location.hostname};Path=/device-bound-session-credentials`;
	addCookieAndSessionCleanup(t);

	// Prompt starting a session, and wait until registration completes.
	const loginResponse = await fetch('login.py');
	assert_equals(loginResponse.status, 200);
	await waitForCookie(expectedCookieAndValue1, /expectCookie=/true);

	// Confirm that a request has the cookie set.
	const authResponse = await fetch('verify_authenticated.py');
	assert_equals(authResponse.status, 200);
	// Confirm that a request does not have alternate cookie set.
	const alternateAuthResponse = await fetch('verify_authenticated.py', {
	method: 'POST',
	body: expectedCookieAndValue2
	});
	assert_equals(alternateAuthResponse.status, 403);

	// Configure server to change the cookie in the session config on next refresh.
	await configureServer({ cookieDetails: [{ nameAndValue: expectedCookieAndValue2 }] });

	// Expire the first cookie and send a request, which triggers the refresh with the new session config.
	expireCookie(expectedCookieAndAttributes1);
	assert_false(documentHasCookie(expectedCookieAndValue1));
	const authResponseAfterExpiry1 = await fetch('verify_authenticated.py');
	assert_equals(authResponseAfterExpiry1.status, 403);
	assert_false(documentHasCookie(expectedCookieAndValue1));

	// Confirm the alternate cookie is set and included in requests. This should
	// not trigger refresh. Note that because a session can only refresh a
	// request once, if the refresh endpoint is correctly setting cookies for
	// the new config, but the browser rejects the config, it won't be visible
	// from the cookie state. Terminating the session if it refreshes when it
	// shouldn't creates a state change we can see.
	await configureServer({ shouldRefreshEndSession: true });
	assert_true(documentHasCookie(expectedCookieAndValue2));
	const alternateAuthResponseAfterExpiry1 = await fetch('verify_authenticated.py', {
	method: 'POST',
	body: expectedCookieAndValue2
	});
	assert_equals(alternateAuthResponseAfterExpiry1.status, 200);

	// Restore the server configuration so we can test that the new config does
	// refresh when expected.
	await configureServer({ shouldRefreshEndSession: false });

	// Expire the second cookie. Confirm the second cookie is refreshed, and not the first.
	expireCookie(expectedCookieAndAttributes2);
	assert_false(documentHasCookie(expectedCookieAndValue2));
	const alternateAuthResponseAfterExpiry2 = await fetch('verify_authenticated.py', {
	method: 'POST',
	body: expectedCookieAndValue2
	});
	assert_equals(alternateAuthResponseAfterExpiry2.status, 200);
	assert_true(documentHasCookie(expectedCookieAndValue2));
	assert_false(documentHasCookie(expectedCookieAndValue1));
	}, "Refresh can replace session config");

	promise_test(async t => {
	await setupShardedServerState();
	const expectedCookieAndValue = "auth_cookie=abcdef0123";
	const expectedCookieAndAttributes = `${expectedCookieAndValue};Domain=${location.hostname};Path=/device-bound-session-credentials`;
	addCookieAndSessionCleanup(t);

	// Prompt starting a session, and wait until registration completes.
	const loginResponse = await fetch('login.py');
	assert_equals(loginResponse.status, 200);
	await waitForCookie(expectedCookieAndValue, /expectCookie=/true);

	// Confirm that a request has the cookie set.
	const authResponse = await fetch('verify_authenticated.py');
	assert_equals(authResponse.status, 200);

	// Configure server to change the session identifier in the session config on next refresh.
	await configureServer({ responseSessionIdOverride: 12345 });

	// Expire the first cookie and send a request, which triggers the refresh with the new session config.
	expireCookie(expectedCookieAndAttributes);
	assert_false(documentHasCookie(expectedCookieAndValue));
	const authResponseAfterExpiry = await fetch('verify_authenticated.py');

	// The first refresh request will give us a new cookie, but will also cause the session to be terminated.
	assert_true(documentHasCookie(expectedCookieAndValue));
	assert_equals(authResponseAfterExpiry.status, 200);

	// Now that the session is terminated, refresh should not give us a new cookie.
	expireCookie(expectedCookieAndAttributes);
	assert_false(documentHasCookie(expectedCookieAndValue));
	const authResponseAfterTermination = await fetch('verify_authenticated.py');
	assert_equals(authResponseAfterTermination.status, 403);

	// Because refresh failed, we still do not have the cookie
	assert_false(documentHasCookie(expectedCookieAndValue));
	}, "Refresh cannot replace session identifier");
	</script>