lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
porchlight/tests/test_admin/test_admin_guard.py
Johan Lundberg befcef9395
fix: add CSRF token handling to admin tests after merge 
The CSRF middleware added to main after the admin-pages branch was
created caused all admin test POSTs/DELETEs to be rejected. Add
get_csrf_token() calls and X-CSRF-Token headers to login helpers and
all mutation requests, matching the pattern used by other tests.
2026-02-19 15:02:51 +01:00

55 lines
2 KiB
Python
Raw Blame History

from datetime import UTC, datetime
import pytest
from argon2 import PasswordHasher
from httpx import AsyncClient
from porchlight.authn.password import PasswordService
from porchlight.models import PasswordCredential, User
from tests.conftest import get_csrf_token
async def _login(
client: AsyncClient, username: str = "alice", password: str = "testpass", *, groups: list[str] | None = None
) -> None:
"""Helper: create user + password credential and log in via POST /login/password."""
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
user = await user_repo.get_by_username(username)
if user is None:
user = User(
userid="test-user-01",
username=username,
groups=groups or [],
created_at=datetime.now(UTC),
updated_at=datetime.now(UTC),
)
await user_repo.create(user)
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
existing = await cred_repo.get_password_by_user(user.userid)
if existing is None:
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash(password)))
token = await get_csrf_token(client)
await client.post(
"/login/password",
data={"username": username, "password": password},
headers={"HX-Request": "true", "X-CSRF-Token": token},
)
@pytest.mark.asyncio
async def test_admin_users_redirects_unauthenticated(client: AsyncClient) -> None:
response = await client.get("/admin/users", follow_redirects=False)
assert response.status_code == 303
assert response.headers["location"] == "/login"
@pytest.mark.asyncio
async def test_admin_users_403_for_non_admin(client: AsyncClient) -> None:
await _login(client, username="regularuser", password="password123", groups=["users"])
response = await client.get("/admin/users", follow_redirects=False)
assert response.status_code == 403
Reference in a new issue View git blame Copy permalink