From 29d0a28e3047e48f69a43388f24d6f87b9f4956d Mon Sep 17 00:00:00 2001 From: Erik Aker Date: Wed, 15 Apr 2020 08:03:23 -0700 Subject: [PATCH] ADd failing test representing cookie parsing failing --- tests/test_requests.py | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/tests/test_requests.py b/tests/test_requests.py index 3381249e24..a63adb22a7 100644 --- a/tests/test_requests.py +++ b/tests/test_requests.py @@ -296,6 +296,40 @@ async def app(scope, receive, send): assert response.json() == {"cookies": {}} +def test_cookie_lenient_parsing(): + """ + The following test is based on a cookie set by Okta, a well-known authorization service. + It turns out that it's common practice to set cookies that would be invalid according to + the spec. + """ + tough_cookie = ( + "provider-oauth-nonce=validAsciiblabla; " + 'okta-oauth-redirect-params={"responseType":"code","state":"somestate",' + '"nonce":"somenonce","scopes":["openid","profile","email","phone"],' + '"urls":{"issuer":"https://subdomain.okta.com/oauth2/authServer",' + '"authorizeUrl":"https://subdomain.okta.com/oauth2/authServer/v1/authorize",' + '"userinfoUrl":"https://subdomain.okta.com/oauth2/authServer/v1/userinfo"}}; ' + "importantCookie=importantValue; sessionCookie=importantSessionValue" + ) + expected_keys = { + "importantCookie", + "okta-oauth-redirect-params", + "okta-oauth-state", + "sessionCookie", + } + + async def app(scope, receive, send): + request = Request(scope, receive) + response = JSONResponse({"cookies": request.cookies}) + await response(scope, receive, send) + + client = TestClient(app) + response = client.get("/", headers={"cookie": tough_cookie}) + result = response.json() + assert len(result) == 4 + assert set(result.keys()) == expected_keys + + def test_chunked_encoding(): async def app(scope, receive, send): request = Request(scope, receive)