Capture cookie, csrf token, use send on post

package.json

@@ -25,7 +25,7 @@
   "devDependencies": {
     "mocha": "1.0.3",
     "should": "0.6.3",
-    "supertest": "0.0.0",
+    "supertest": "0.7.1",
     "awsbox": "0.4.5",
     "jshint": "0.9.1",
     "jwcrypto": "0.4.3"

server/tests/acceptance.js

@@ -41,22 +41,29 @@ describe('the server', function() {
       }
       publicKeyToCertify = keyPair.publicKey.serialize();
     });
-/*
-    var csfrResponse = request(app).get('/provision', function(err, res) {
-      console.log('CSF: '+res);
-      done();
-    });
-    return;*/
 
-    request(app).post('/provision', {email: 'lloyd@example.com', publicKey: publicKeyToCertify, duration: 1000*1000})
-    .expect('Content-Type', /json/)
-    .expect(/public-key/) // string or regex matching expected well-known json
-    .end(function(err, res){
-      console.log('RES: '+ res.text);
-      if (err) {
-        throw err;
-      }
-      done();
-    });
+    var csfrResponse = request(app).get('/provision')
+          .end(function(err, res) {
+            var cookieHeader = res.headers['set-cookie'][0];
+
+            var offset = '_csrf: "'.length;
+            var start = res.text.indexOf('_csrf: "');
+            var end = res.text.indexOf('"', start + offset);
+            var csrf = res.text.substring(start + offset, end);
+
+            // Moved in here... if afterwards, seems like this can run before this .end runs.
+            request(app).post('/provision')
+              .send({email: 'lloyd@example.com', publicKey: publicKeyToCertify, duration: 1000*1000, _csrf: csrf})
+              .set('cookie', cookieHeader)
+              .expect('Content-Type', /json/)
+              .expect(/public-key/) // string or regex matching expected well-known json
+              .end(function(err, res){
+                   console.log('RES: '+ res.text);
+                   if (err) {
+                     throw err;
+                   }
+                   done();
+              });
+          });
   });
 });