lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed tests

Browse Source
This commit is contained in:
Lukas
2026-05-15 20:41:05 +02:00
parent 96ce516ecf
commit 77df5d5d65
50 changed files with 1482 additions and 5089 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
backend/tests/test_routers/test_csrf.py
View File

@@ -31,14 +31,16 @@ async def _do_setup(client: AsyncClient) -> None:
async def _login(client: AsyncClient, password: str = "Mysecretpass1!") -> str:
"""Helper: perform login and return the session token."""
"""Helper: perform login and return the session token from the cookie."""
resp = await client.post(
"/api/v1/auth/login",
json={"password": password},
headers={"X-BanGUI-Request": "1"},
)
assert resp.status_code == 200
return str(resp.json()["token"])
token = resp.cookies.get(SESSION_COOKIE_NAME)
assert token is not None
return str(token)
# ---------------------------------------------------------------------------
@@ -49,9 +51,7 @@ async def _login(client: AsyncClient, password: str = "Mysecretpass1!") -> str:
class TestCsrfProtection:
"""CSRF middleware validation tests."""
async def test_post_with_cookie_and_csrf_header_passes(
self, client: AsyncClient
) -> None:
async def test_post_with_cookie_and_csrf_header_passes(self, client: AsyncClient) -> None:
"""POST with session cookie and CSRF header is allowed."""
await _do_setup(client)
token = await _login(client)
@@ -65,9 +65,7 @@ class TestCsrfProtection:
# Expect 200 (logout succeeds) not 403 (CSRF failed)
assert response.status_code == 200
async def test_post_with_cookie_without_csrf_header_rejected(
self, client: AsyncClient
) -> None:
async def test_post_with_cookie_without_csrf_header_rejected(self, client: AsyncClient) -> None:
"""POST with session cookie but no CSRF header is rejected with 403."""
await _do_setup(client)
token = await _login(client)
@@ -83,9 +81,7 @@ class TestCsrfProtection:
assert "detail" in body
assert "CSRF" in body["detail"]
async def test_post_with_cookie_with_wrong_csrf_value_rejected(
self, client: AsyncClient
) -> None:
async def test_post_with_cookie_with_wrong_csrf_value_rejected(self, client: AsyncClient) -> None:
"""POST with session cookie and wrong CSRF header value is rejected."""
await _do_setup(client)
token = await _login(client)
@@ -98,9 +94,7 @@ class TestCsrfProtection:
)
assert response.status_code == 403
async def test_post_with_bearer_token_no_csrf_header_passes(
self, client: AsyncClient
) -> None:
async def test_post_with_bearer_token_no_csrf_header_passes(self, client: AsyncClient) -> None:
"""POST with Bearer token but no CSRF header is allowed (not CSRF-vulnerable)."""
await _do_setup(client)
token = await _login(client)
@@ -113,9 +107,7 @@ class TestCsrfProtection:
# Expect 200 (logout succeeds) not 403 (CSRF check should be skipped)
assert response.status_code == 200
async def test_get_with_cookie_no_csrf_header_passes(
self, client: AsyncClient
) -> None:
async def test_get_with_cookie_no_csrf_header_passes(self, client: AsyncClient) -> None:
"""GET with session cookie but no CSRF header is allowed (safe method)."""
await _do_setup(client)
token = await _login(client)
@@ -129,9 +121,7 @@ class TestCsrfProtection:
# Expect 200 (session valid) not 403 (CSRF check should be skipped for GET)
assert response.status_code == 200
async def test_options_with_cookie_no_csrf_header_passes(
self, client: AsyncClient
) -> None:
async def test_options_with_cookie_no_csrf_header_passes(self, client: AsyncClient) -> None:
"""OPTIONS with session cookie but no CSRF header is allowed (safe method)."""
await _do_setup(client)
token = await _login(client)
@@ -145,9 +135,7 @@ class TestCsrfProtection:
# Expect not 403
assert response.status_code != 403
async def test_head_with_cookie_no_csrf_header_passes(
self, client: AsyncClient
) -> None:
async def test_head_with_cookie_no_csrf_header_passes(self, client: AsyncClient) -> None:
"""HEAD with session cookie but no CSRF header is allowed (safe method)."""
await _do_setup(client)
token = await _login(client)
@@ -161,9 +149,7 @@ class TestCsrfProtection:
# Expect not 403
assert response.status_code != 403
async def test_delete_with_cookie_and_csrf_header_passes(
self, client: AsyncClient
) -> None:
async def test_delete_with_cookie_and_csrf_header_passes(self, client: AsyncClient) -> None:
"""DELETE with session cookie and CSRF header is allowed."""
await _do_setup(client)
token = await _login(client)
@@ -180,9 +166,7 @@ class TestCsrfProtection:
# Should not be 403 (CSRF failed)
assert response.status_code != 403
async def test_delete_with_cookie_without_csrf_header_rejected(
self, client: AsyncClient
) -> None:
async def test_delete_with_cookie_without_csrf_header_rejected(self, client: AsyncClient) -> None:
"""DELETE with session cookie but no CSRF header is rejected with 403."""
await _do_setup(client)
token = await _login(client)
@@ -197,9 +181,7 @@ class TestCsrfProtection:
)
assert response.status_code == 403
async def test_put_with_cookie_and_csrf_header_passes(
self, client: AsyncClient
) -> None:
async def test_put_with_cookie_and_csrf_header_passes(self, client: AsyncClient) -> None:
"""PUT with session cookie and CSRF header is allowed."""
await _do_setup(client)
token = await _login(client)
@@ -214,9 +196,7 @@ class TestCsrfProtection:
# Should not be 403 (CSRF failed)
assert response.status_code != 403
async def test_put_with_cookie_without_csrf_header_rejected(
self, client: AsyncClient
) -> None:
async def test_put_with_cookie_without_csrf_header_rejected(self, client: AsyncClient) -> None:
"""PUT with session cookie but no CSRF header is rejected with 403."""
await _do_setup(client)
token = await _login(client)
@@ -230,9 +210,7 @@ class TestCsrfProtection:
)
assert response.status_code == 403
async def test_patch_with_cookie_and_csrf_header_passes(
self, client: AsyncClient
) -> None:
async def test_patch_with_cookie_and_csrf_header_passes(self, client: AsyncClient) -> None:
"""PATCH with session cookie and CSRF header is allowed."""
await _do_setup(client)
token = await _login(client)
@@ -247,9 +225,7 @@ class TestCsrfProtection:
# Should not be 403 (CSRF failed)
assert response.status_code != 403
async def test_patch_with_cookie_without_csrf_header_rejected(
self, client: AsyncClient
) -> None:
async def test_patch_with_cookie_without_csrf_header_rejected(self, client: AsyncClient) -> None:
"""PATCH with session cookie but no CSRF header is rejected with 403."""
await _do_setup(client)
token = await _login(client)
@@ -262,9 +238,7 @@ class TestCsrfProtection:
)
assert response.status_code == 403
async def test_post_without_cookie_no_csrf_header_passes(
self, client: AsyncClient
) -> None:
async def test_post_without_cookie_no_csrf_header_passes(self, client: AsyncClient) -> None:
"""POST without session cookie or Bearer token bypasses CSRF check."""
await _do_setup(client)
@@ -279,9 +253,7 @@ class TestCsrfProtection:
# (Actually logout is idempotent and doesn't require auth, so we expect 200)
assert response.status_code in (200, 401)
async def test_bearer_token_via_authorization_header(
self, client: AsyncClient
) -> None:
async def test_bearer_token_via_authorization_header(self, client: AsyncClient) -> None:
"""Bearer token in Authorization header bypasses CSRF check."""
await _do_setup(client)
token = await _login(client)