lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

test: update all tests to include CSRF tokens

Browse source
This commit is contained in:
Johan Lundberg 2026-02-19 14:19:47 +01:00
parent 9e5773f52f
commit f648422227
No known key found for this signature in database
GPG key ID: A6C152738D03C7D1
12 changed files with 105 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

20
tests/test_auth_routes/test_manage_webauthn_credential.py
View file

@ -17,6 +17,7 @@ from fido2.webauthn import (
)
from httpx import AsyncClient
from tests.conftest import get_csrf_token
from porchlight.authn.password import PasswordService
from porchlight.models import PasswordCredential, User, WebAuthnCredential
@ -36,10 +37,11 @@ async def _create_user_and_login(client: AsyncClient) -> str:
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("testpass")))
token = await get_csrf_token(client)
await client.post(
"/login/password",
data={"username": "alice", "password": "testpass"},
headers={"HX-Request": "true"},
headers={"HX-Request": "true", "X-CSRF-Token": token},
)
return user.userid
@ -70,14 +72,23 @@ def _build_registration_response(
async def test_webauthn_begin_requires_session(client: AsyncClient) -> None:
res = await client.post("/manage/credentials/webauthn/begin", follow_redirects=False)
token = await get_csrf_token(client)
res = await client.post(
"/manage/credentials/webauthn/begin",
headers={"X-CSRF-Token": token},
follow_redirects=False,
)
assert res.status_code in (302, 303, 401)
async def test_webauthn_begin_returns_options(client: AsyncClient) -> None:
await _create_user_and_login(client)
res = await client.post("/manage/credentials/webauthn/begin")
token = await get_csrf_token(client)
res = await client.post(
"/manage/credentials/webauthn/begin",
headers={"X-CSRF-Token": token},
)
assert res.status_code == 200
data = res.json()
assert "publicKey" in data
@ -122,9 +133,10 @@ async def test_delete_webauthn_credential(client: AsyncClient) -> None:
cred_id_b64 = urlsafe_b64encode(b"cred1").decode().rstrip("=")
token = await get_csrf_token(client)
res = await client.delete(
f"/manage/credentials/webauthn/{cred_id_b64}",
headers={"HX-Request": "true"},
headers={"HX-Request": "true", "X-CSRF-Token": token},
)
assert res.status_code == 200