feat: wire CSRF middleware and harden session cookie

2026-02-19 13:45:58 +01:00 · 2026-02-19 13:45:58 +01:00 · d1f2b39cb6
commit d1f2b39cb6
parent b5ea9950a2
4 changed files with 37 additions and 3 deletions
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -9,7 +9,7 @@ from porchlight.config import Settings

@pytest.fixture
 def settings() -> Settings:
-    return Settings(issuer="http://localhost:8000", sqlite_path=":memory:")
+    return Settings(issuer="http://localhost:8000", sqlite_path=":memory:", session_https_only=False)


@pytest.fixture
--- a/tests/test_csrf.py
+++ b/tests/test_csrf.py
@ -145,3 +145,18 @@ class TestGenerateCSRFToken:
            response2 = await client.get("/get-token")
            token2 = response2.json()["token"]
            assert token1 == token2
+
+
+class TestAppIntegration:
+    """Test CSRF middleware is wired into the real app."""
+
+    async def test_post_without_csrf_token_returns_403(self, client: AsyncClient) -> None:
+        """Any POST to a session-protected endpoint without CSRF token gets 403."""
+        resp = await client.post("/login/password", data={"username": "x", "password": "y"})
+        assert resp.status_code == 403
+
+    async def test_exempt_token_endpoint(self, client: AsyncClient) -> None:
+        """The /token endpoint is exempt from CSRF (uses client auth)."""
+        resp = await client.post("/token", data={"grant_type": "authorization_code", "code": "fake"})
+        # Should NOT be 403 — it should fail for auth reasons, not CSRF
+        assert resp.status_code != 403