@@ -332,6 +332,8 @@ void enrollSchoolHappyPath() throws Exception {
332332 void verifySchoolEmailNotAuthenticated () {
333333 HttpServletRequest request = mock (HttpServletRequest .class );
334334
335+ when (request .getHeader ("Referer" )).thenReturn ("http://localhost:8080/settings" );
336+ when (serverUrlUtils .getUrl ()).thenReturn ("http://localhost:8080" );
335337 when (protector .validateSession (request )).thenThrow (new RuntimeException ("Not authenticated" ));
336338
337339 RedirectView redirectView = authController .verifySchoolEmail (request );
@@ -351,6 +353,8 @@ void verifySchoolEmailInvalidToken() throws Exception {
351353
352354 HttpServletRequest request = mock (HttpServletRequest .class );
353355
356+ when (request .getHeader ("Referer" )).thenReturn ("http://localhost:8080/settings" );
357+ when (serverUrlUtils .getUrl ()).thenReturn ("http://localhost:8080" );
354358 when (protector .validateSession (request )).thenReturn (authObj );
355359 when (request .getParameter ("state" )).thenReturn ("invalid-token" );
356360 when (jwtClient .decode ("invalid-token" , MagicLink .class )).thenThrow (new RuntimeException ("Invalid token" ));
@@ -374,6 +378,8 @@ void verifySchoolEmailUserIdMismatch() throws Exception {
374378 HttpServletRequest request = mock (HttpServletRequest .class );
375379 MagicLink magicLink = new MagicLink ("test@myhunter.cuny.edu" , "different-user-id" );
376380
381+ when (request .getHeader ("Referer" )).thenReturn ("http://localhost:8080/settings" );
382+ when (serverUrlUtils .getUrl ()).thenReturn ("http://localhost:8080" );
377383 when (protector .validateSession (request )).thenReturn (authObj );
378384 when (request .getParameter ("state" )).thenReturn ("valid-token" );
379385 when (jwtClient .decode ("valid-token" , MagicLink .class )).thenReturn (magicLink );
@@ -399,6 +405,8 @@ void verifySchoolEmailHappyPath() throws Exception {
399405
400406 when (protector .validateSession (request )).thenReturn (authObj );
401407 when (request .getParameter ("state" )).thenReturn ("valid-token" );
408+ when (request .getHeader ("Referer" )).thenReturn ("http://localhost:8080/settings" );
409+ when (serverUrlUtils .getUrl ()).thenReturn ("http://localhost:8080" );
402410 when (jwtClient .decode ("valid-token" , MagicLink .class )).thenReturn (magicLink );
403411 when (userRepository .updateUser (any (User .class ))).thenReturn (true );
404412
@@ -412,4 +420,25 @@ void verifySchoolEmailHappyPath() throws Exception {
412420 verify (userRepository , times (1 )).updateUser (any (User .class ));
413421 verify (userTagRepository , times (1 )).createTag (any ());
414422 }
423+
424+ @ Test
425+ @ DisplayName ("Verify school email - invalid origin" )
426+ void verifySchoolEmailInvalidOrigin () {
427+ User user = createRandomUser ();
428+ Session session = createRandomSession (user .getId ());
429+ AuthenticationObject authObj = createAuthenticationObject (user , session );
430+
431+ HttpServletRequest request = mock (HttpServletRequest .class );
432+
433+ when (protector .validateSession (request )).thenReturn (authObj );
434+ when (request .getHeader ("Referer" )).thenReturn ("http://wrong-host.com/settings" );
435+ when (serverUrlUtils .getUrl ()).thenReturn ("http://localhost:8080" );
436+
437+ RedirectView redirectView = authController .verifySchoolEmail (request );
438+
439+ assertNotNull (redirectView );
440+ assertEquals ("/settings?success=false&message=Invalid request origin" , redirectView .getUrl ());
441+
442+ verify (protector , times (0 )).validateSession (request );
443+ }
415444}
0 commit comments