Alo/animaltrack
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
29ea3e27cb7c994bbc68257b36e7376947a4aaf1
animaltrack/tests/test_web_csrf.py
Petru Paler 84225d865f feat: implement FastHTML app shell with auth/CSRF middleware (Step 7.1) 
Add web layer foundation:
- FastHTML app factory with Beforeware pattern
- Auth middleware validating trusted proxy IPs and X-Oidc-Username header
- CSRF dual-token validation (cookie + header + Origin/Referer)
- Request ID generation (ULID) and NDJSON request logging
- Role-based permission helpers (can_edit_event, can_delete_event)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-29 19:52:15 +00:00

173 lines
6.1 KiB
Python
Raw Blame History

# ABOUTME: Tests for CSRF validation logic.
# ABOUTME: Covers token matching, origin/referer validation, and safe methods.
class TestValidateCSRFToken:
"""Tests for CSRF token validation logic."""
def test_accepts_matching_tokens(self):
"""Valid when cookie and header tokens match."""
from animaltrack.web.middleware import validate_csrf_token
assert validate_csrf_token("abc123", "abc123") is True
def test_rejects_mismatched_tokens(self):
"""Invalid when cookie and header tokens differ."""
from animaltrack.web.middleware import validate_csrf_token
assert validate_csrf_token("abc123", "xyz789") is False
def test_rejects_empty_cookie_token(self):
"""Invalid when cookie token is empty."""
from animaltrack.web.middleware import validate_csrf_token
assert validate_csrf_token("", "abc123") is False
def test_rejects_empty_header_token(self):
"""Invalid when header token is empty."""
from animaltrack.web.middleware import validate_csrf_token
assert validate_csrf_token("abc123", "") is False
def test_rejects_none_tokens(self):
"""Invalid when either token is None."""
from animaltrack.web.middleware import validate_csrf_token
assert validate_csrf_token(None, "abc123") is False
assert validate_csrf_token("abc123", None) is False
assert validate_csrf_token(None, None) is False
class TestIsSafeMethod:
"""Tests for HTTP safe method detection."""
def test_get_is_safe(self):
"""GET is a safe method."""
from animaltrack.web.middleware import is_safe_method
assert is_safe_method("GET") is True
def test_head_is_safe(self):
"""HEAD is a safe method."""
from animaltrack.web.middleware import is_safe_method
assert is_safe_method("HEAD") is True
def test_options_is_safe(self):
"""OPTIONS is a safe method."""
from animaltrack.web.middleware import is_safe_method
assert is_safe_method("OPTIONS") is True
def test_post_is_not_safe(self):
"""POST is not a safe method."""
from animaltrack.web.middleware import is_safe_method
assert is_safe_method("POST") is False
def test_put_is_not_safe(self):
"""PUT is not a safe method."""
from animaltrack.web.middleware import is_safe_method
assert is_safe_method("PUT") is False
def test_delete_is_not_safe(self):
"""DELETE is not a safe method."""
from animaltrack.web.middleware import is_safe_method
assert is_safe_method("DELETE") is False
def test_patch_is_not_safe(self):
"""PATCH is not a safe method."""
from animaltrack.web.middleware import is_safe_method
assert is_safe_method("PATCH") is False
def test_case_insensitive(self):
"""Method check is case-insensitive."""
from animaltrack.web.middleware import is_safe_method
assert is_safe_method("get") is True
assert is_safe_method("Get") is True
assert is_safe_method("post") is False
class TestValidateOrigin:
"""Tests for Origin/Referer header validation."""
def test_accepts_matching_origin(self):
"""Valid when Origin matches expected host."""
from animaltrack.web.middleware import validate_origin
assert validate_origin("https://example.com", "example.com") is True
def test_accepts_matching_origin_with_port(self):
"""Valid when Origin matches expected host with port."""
from animaltrack.web.middleware import validate_origin
assert validate_origin("https://example.com:3366", "example.com:3366") is True
def test_rejects_different_origin(self):
"""Invalid when Origin doesn't match expected host."""
from animaltrack.web.middleware import validate_origin
assert validate_origin("https://evil.com", "example.com") is False
def test_rejects_subdomain_mismatch(self):
"""Invalid when Origin is a subdomain of expected host."""
from animaltrack.web.middleware import validate_origin
assert validate_origin("https://sub.example.com", "example.com") is False
def test_accepts_none_origin(self):
"""None origin returns False (will check Referer instead)."""
from animaltrack.web.middleware import validate_origin
assert validate_origin(None, "example.com") is False
def test_accepts_empty_origin(self):
"""Empty origin returns False."""
from animaltrack.web.middleware import validate_origin
assert validate_origin("", "example.com") is False
class TestValidateReferer:
"""Tests for Referer header validation."""
def test_accepts_matching_referer(self):
"""Valid when Referer host matches expected host."""
from animaltrack.web.middleware import validate_referer
assert validate_referer("https://example.com/page", "example.com") is True
def test_accepts_matching_referer_with_port(self):
"""Valid when Referer matches expected host with port."""
from animaltrack.web.middleware import validate_referer
assert validate_referer("https://example.com:3366/page", "example.com:3366") is True
def test_rejects_different_referer(self):
"""Invalid when Referer host doesn't match expected host."""
from animaltrack.web.middleware import validate_referer
assert validate_referer("https://evil.com/page", "example.com") is False
def test_rejects_none_referer(self):
"""Invalid when Referer is None."""
from animaltrack.web.middleware import validate_referer
assert validate_referer(None, "example.com") is False
def test_rejects_empty_referer(self):
"""Invalid when Referer is empty."""
from animaltrack.web.middleware import validate_referer
assert validate_referer("", "example.com") is False
def test_rejects_malformed_referer(self):
"""Invalid when Referer is malformed."""
from animaltrack.web.middleware import validate_referer
assert validate_referer("not-a-url", "example.com") is False
Reference in New Issue View Git Blame Copy Permalink