lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

test: update all tests to include CSRF tokens

Browse source
This commit is contained in:
Johan Lundberg 2026-02-19 14:19:47 +01:00
parent 9e5773f52f
commit f648422227
No known key found for this signature in database
GPG key ID: A6C152738D03C7D1
12 changed files with 105 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

13
tests/test_auth_routes/test_password_login.py
View file

@ -3,15 +3,17 @@ from datetime import UTC, datetime
from argon2 import PasswordHasher
from httpx import AsyncClient
from tests.conftest import get_csrf_token
from porchlight.authn.password import PasswordService
from porchlight.models import PasswordCredential, User
async def test_password_login_unknown_user_returns_error_fragment(client: AsyncClient) -> None:
token = await get_csrf_token(client)
res = await client.post(
"/login/password",
data={"username": "nobody", "password": "wrong"},
headers={"HX-Request": "true"},
headers={"HX-Request": "true", "X-CSRF-Token": token},
)
assert res.status_code == 200
assert "Invalid username or password" in res.text
@ -29,10 +31,11 @@ async def test_password_login_wrong_password_returns_error_fragment(client: Asyn
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("correct")))
token = await get_csrf_token(client)
res = await client.post(
"/login/password",
data={"username": "alice", "password": "wrong"},
headers={"HX-Request": "true"},
headers={"HX-Request": "true", "X-CSRF-Token": token},
)
assert res.status_code == 200
assert "Invalid username or password" in res.text
@ -49,16 +52,18 @@ async def test_password_login_success_sets_session_and_hx_redirect(client: Async
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("correct")))
token = await get_csrf_token(client)
res = await client.post(
"/login/password",
data={"username": "alice", "password": "correct"},
headers={"HX-Request": "true"},
headers={"HX-Request": "true", "X-CSRF-Token": token},
)
assert res.status_code == 200
assert res.headers.get("HX-Redirect") == "/manage/credentials"
async def test_logout_clears_session_and_redirects(client: AsyncClient) -> None:
res = await client.post("/logout", headers={"HX-Request": "true"})
token = await get_csrf_token(client)
res = await client.post("/logout", headers={"HX-Request": "true", "X-CSRF-Token": token})
assert res.status_code == 200
assert res.headers.get("HX-Redirect") == "/login"