test: update all tests to include CSRF tokens

2026-02-19 14:19:47 +01:00 · 2026-02-19 14:19:47 +01:00 · f648422227
commit f648422227
parent 9e5773f52f
12 changed files with 105 additions and 26 deletions
--- a/tests/test_oidc/test_e2e_flow.py
+++ b/tests/test_oidc/test_e2e_flow.py
@ -9,6 +9,7 @@ from cryptojwt.jwk.jwk import key_from_jwk_dict
 from cryptojwt.jws.jws import JWS
 from httpx import AsyncClient

+from tests.conftest import get_csrf_token
 from porchlight.authn.password import PasswordService
 from porchlight.models import PasswordCredential, User

@ -76,10 +77,11 @@ async def test_full_authorization_code_flow(client: AsyncClient) -> None:
    assert "/login" in auth_res.headers["location"]

    # -- Step 2: Password login → HX-Redirect to /authorization/complete --
+    token = await get_csrf_token(client)
    login_res = await client.post(
        "/login/password",
        data={"username": "alice", "password": "testpass"},
-        headers={"HX-Request": "true"},
+        headers={"HX-Request": "true", "X-CSRF-Token": token},
    )
    assert login_res.status_code == 200
    hx_redirect = login_res.headers.get("HX-Redirect", "")
@ -95,9 +97,11 @@ async def test_full_authorization_code_flow(client: AsyncClient) -> None:
    assert "/consent" in complete_res.headers["location"]

    # -- Step 3b: Approve consent → redirect to callback with code + state --
+    token = await get_csrf_token(client)
    consent_res = await client.post(
        "/consent",
        data={"action": "allow", "scope": ["openid", "profile", "email"]},
+        headers={"X-CSRF-Token": token},
        follow_redirects=False,
    )
    assert consent_res.status_code in (302, 303)