refresh-replaces-config.https.html (5578B)
1 <!DOCTYPE html> 2 <meta charset="utf-8"> 3 <script src="/resources/testharness.js"></script> 4 <script src="/resources/testharnessreport.js"></script> 5 <script src="helper.js" type="module"></script> 6 7 <script type="module"> 8 import { expireCookie, waitForCookie, addCookieAndSessionCleanup, configureServer, setupShardedServerState, documentHasCookie } from "./helper.js"; 9 10 promise_test(async t => { 11 await setupShardedServerState(); 12 const expectedCookieAndValue1 = "auth_cookie=abcdef0123"; 13 const expectedCookieAndAttributes1 = `${expectedCookieAndValue1};Domain=${location.hostname};Path=/device-bound-session-credentials`; 14 const expectedCookieAndValue2 = "other_cookie=ghijkl4567"; 15 const expectedCookieAndAttributes2 = `${expectedCookieAndValue2};Domain=${location.hostname};Path=/device-bound-session-credentials`; 16 addCookieAndSessionCleanup(t); 17 18 // Prompt starting a session, and wait until registration completes. 19 const loginResponse = await fetch('login.py'); 20 assert_equals(loginResponse.status, 200); 21 await waitForCookie(expectedCookieAndValue1, /*expectCookie=*/true); 22 23 // Confirm that a request has the cookie set. 24 const authResponse = await fetch('verify_authenticated.py'); 25 assert_equals(authResponse.status, 200); 26 // Confirm that a request does not have alternate cookie set. 27 const alternateAuthResponse = await fetch('verify_authenticated.py', { 28 method: 'POST', 29 body: expectedCookieAndValue2 30 }); 31 assert_equals(alternateAuthResponse.status, 403); 32 33 // Configure server to change the cookie in the session config on next refresh. 34 await configureServer({ cookieDetails: [{ nameAndValue: expectedCookieAndValue2 }] }); 35 36 // Expire the first cookie and send a request, which triggers the refresh with the new session config. 37 expireCookie(expectedCookieAndAttributes1); 38 assert_false(documentHasCookie(expectedCookieAndValue1)); 39 const authResponseAfterExpiry1 = await fetch('verify_authenticated.py'); 40 assert_equals(authResponseAfterExpiry1.status, 403); 41 assert_false(documentHasCookie(expectedCookieAndValue1)); 42 43 // Confirm the alternate cookie is set and included in requests. This should 44 // not trigger refresh. Note that because a session can only refresh a 45 // request once, if the refresh endpoint is correctly setting cookies for 46 // the new config, but the browser rejects the config, it won't be visible 47 // from the cookie state. Terminating the session if it refreshes when it 48 // shouldn't creates a state change we can see. 49 await configureServer({ shouldRefreshEndSession: true }); 50 assert_true(documentHasCookie(expectedCookieAndValue2)); 51 const alternateAuthResponseAfterExpiry1 = await fetch('verify_authenticated.py', { 52 method: 'POST', 53 body: expectedCookieAndValue2 54 }); 55 assert_equals(alternateAuthResponseAfterExpiry1.status, 200); 56 57 // Restore the server configuration so we can test that the new config does 58 // refresh when expected. 59 await configureServer({ shouldRefreshEndSession: false }); 60 61 // Expire the second cookie. Confirm the second cookie is refreshed, and not the first. 62 expireCookie(expectedCookieAndAttributes2); 63 assert_false(documentHasCookie(expectedCookieAndValue2)); 64 const alternateAuthResponseAfterExpiry2 = await fetch('verify_authenticated.py', { 65 method: 'POST', 66 body: expectedCookieAndValue2 67 }); 68 assert_equals(alternateAuthResponseAfterExpiry2.status, 200); 69 assert_true(documentHasCookie(expectedCookieAndValue2)); 70 assert_false(documentHasCookie(expectedCookieAndValue1)); 71 }, "Refresh can replace session config"); 72 73 promise_test(async t => { 74 await setupShardedServerState(); 75 const expectedCookieAndValue = "auth_cookie=abcdef0123"; 76 const expectedCookieAndAttributes = `${expectedCookieAndValue};Domain=${location.hostname};Path=/device-bound-session-credentials`; 77 addCookieAndSessionCleanup(t); 78 79 // Prompt starting a session, and wait until registration completes. 80 const loginResponse = await fetch('login.py'); 81 assert_equals(loginResponse.status, 200); 82 await waitForCookie(expectedCookieAndValue, /*expectCookie=*/true); 83 84 // Confirm that a request has the cookie set. 85 const authResponse = await fetch('verify_authenticated.py'); 86 assert_equals(authResponse.status, 200); 87 88 // Configure server to change the session identifier in the session config on next refresh. 89 await configureServer({ responseSessionIdOverride: 12345 }); 90 91 // Expire the first cookie and send a request, which triggers the refresh with the new session config. 92 expireCookie(expectedCookieAndAttributes); 93 assert_false(documentHasCookie(expectedCookieAndValue)); 94 const authResponseAfterExpiry = await fetch('verify_authenticated.py'); 95 96 // The first refresh request will give us a new cookie, but will also cause the session to be terminated. 97 assert_true(documentHasCookie(expectedCookieAndValue)); 98 assert_equals(authResponseAfterExpiry.status, 200); 99 100 // Now that the session is terminated, refresh should not give us a new cookie. 101 expireCookie(expectedCookieAndAttributes); 102 assert_false(documentHasCookie(expectedCookieAndValue)); 103 const authResponseAfterTermination = await fetch('verify_authenticated.py'); 104 assert_equals(authResponseAfterTermination.status, 403); 105 106 // Because refresh failed, we still do not have the cookie 107 assert_false(documentHasCookie(expectedCookieAndValue)); 108 }, "Refresh cannot replace session identifier"); 109 </script>