lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
porchlight/tests
History
Johan Lundberg 3c5451b9c2
fix(csrf): replay request body consumed during token validation 
The CSRF middleware read the request body via request.form() to extract
the csrf_token form field, then handed the already-consumed ASGI receive
to the downstream app. The endpoint's own request.form()/body() then
blocked indefinitely waiting for body bytes that would never arrive,
hanging the request until the client disconnected (ClientDisconnect).

Only native form POSTs hit this path: htmx requests carry the token in
the X-CSRF-Token header and skip the body read. The OIDC consent form is
a plain form with the token in the body, so authorization consent hung.

Buffer the body when falling back to the form token and replay it to the
downstream app via a wrapped receive. Header-token requests are
unchanged. Adds a regression test where the endpoint reads the body after
body-token CSRF validation.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 13:07:02 +02:00
..
e2e fix(security): require CSRF-protected POST to consume a registration link 2026-06-05 13:40:30 +02:00
test_admin fix(security): prevent removing the last active admin 2026-06-05 13:31:39 +02:00
test_auth_routes fix(security): POST WebAuthn login-begin; render JS errors as text 2026-06-05 14:04:24 +02:00
test_authn fix(security): reject WebAuthn signature-counter rollback 2026-06-05 13:53:10 +02:00
test_invite fix(security): consume magic-link tokens atomically 2026-06-04 10:46:38 +02:00
test_manage chore: create package structure with src layout 2026-02-12 14:39:07 +01:00
test_oidc fix(security): don't mint new ID tokens on refresh; confirm offline_access gating 2026-06-10 09:25:49 +02:00
test_store fix(security): enforce globally-unique WebAuthn credential_id 2026-06-05 13:51:09 +02:00
__init__.py chore: create package structure with src layout 2026-02-12 14:39:07 +01:00
conftest.py fix(security): lock down signing-key file permissions 2026-06-08 15:21:27 +02:00
test_admin_groups_validation.py fix(security): reset session on login to prevent fixation 2026-06-04 14:23:08 +02:00
test_admin_invite_validation.py fix(security): reset session on login to prevent fixation 2026-06-04 14:23:08 +02:00
test_app.py feat(security): add baseline security-header middleware 2026-06-10 08:53:49 +02:00
test_authn_active.py fix(security): require CSRF-protected POST to consume a registration link 2026-06-05 13:40:30 +02:00
test_cli.py feat: add initial-admin CLI command 2026-02-18 11:29:13 +01:00
test_client_registration.py fix(security): lock down signing-key file permissions 2026-06-08 15:21:27 +02:00
test_config.py refactor: fix lint warnings and remove stale type: ignore comments 2026-02-18 13:08:03 +01:00
test_csrf.py fix(csrf): replay request body consumed during token validation 2026-06-10 13:07:02 +02:00
test_manage_profile.py feat: wire ProfileUpdate validation into manage profile route 2026-03-10 15:36:47 +01:00
test_models.py update all imports in test files: fastapi_oidc_op → porchlight 2026-02-16 15:34:53 +01:00
test_password_change.py fix(security): require CSRF-protected POST to consume a registration link 2026-06-05 13:40:30 +02:00
test_rate_limit.py fix(security): make rate-limit client IP proxy-aware 2026-06-05 13:35:29 +02:00
test_userid.py update all imports in test files: fastapi_oidc_op → porchlight 2026-02-16 15:34:53 +01:00
test_validation.py fix(security): escape user input in validation error HTML 2026-06-04 10:23:32 +02:00