Files
wehub-resource-sync 7a0da7932b
Backwards Compatibility / Verify Encryption Constants (push) Waiting to run
Backwards Compatibility / PyPI Version Compatibility (push) Waiting to run
Backwards Compatibility / Database Migration Tests (push) Waiting to run
CodeQL Advanced / Analyze (javascript-typescript) (push) Waiting to run
CodeQL Advanced / Analyze (python) (push) Waiting to run
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Blocked by required conditions
Docker Tests (Consolidated) / detect-changes (push) Waiting to run
Docker Tests (Consolidated) / Build Test Image (push) Waiting to run
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Blocked by required conditions
Docker Tests (Consolidated) / Accessibility Tests (push) Blocked by required conditions
Docker Tests (Consolidated) / LLM Unit Tests (push) Blocked by required conditions
Docker Tests (Consolidated) / LLM Example Tests (push) Blocked by required conditions
Docker Tests (Consolidated) / Production Image Smoke Test (push) Blocked by required conditions
Docker Tests (Consolidated) / Infrastructure Tests (push) Blocked by required conditions
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Waiting to run
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:08:55 +08:00

88 lines
3.2 KiB
Python

"""Test CSRF with header."""
import time
class TestCSRFHeader:
"""Test CSRF protection with headers."""
def test_csrf_with_header(self, client, app):
"""Test CSRF protection using headers."""
# Since we disabled CSRF for testing, this test verifies the login flow
# In production, CSRF would be required
# Generate unique username to avoid conflicts
test_username = f"testuser_csrf_{int(time.time() * 1000)}"
# Get login page
response = client.get("/auth/login")
assert response.status_code == 200
# In test mode, CSRF is disabled, so we can login without token
login_data = {
"username": test_username,
"password": "TestPass123",
}
# First register the user
register_response = client.post(
"/auth/register",
data={
"username": test_username,
"password": "TestPass123",
"confirm_password": "TestPass123",
"acknowledge": "true",
},
)
assert register_response.status_code in [200, 302]
# Now test login
response = client.post(
"/auth/login",
data=login_data,
follow_redirects=False,
)
assert response.status_code in [200, 302]
if response.status_code == 302:
# Login successful, redirecting
assert "/" in response.location or "/research" in response.location
def test_api_csrf_exemption(self, authenticated_client):
"""Test that API routes are exempt from CSRF."""
# API routes should work without CSRF token
response = authenticated_client.get("/api/v1/health")
assert response.status_code == 200
# Research API should also work
response = authenticated_client.get("/research/api/history")
assert response.status_code in [200, 404] # 404 if no history yet
def test_csrf_blueprint_exemptions_configured(self, app):
"""Test that only api_v1 blueprint is CSRF-exempt.
Flask-WTF 1.2.2 requires Blueprint objects (not strings) in
_exempt_blueprints. Only api_v1 should be exempt — the browser-facing
blueprints (api, benchmark, research) should require CSRF tokens since
the frontend already sends them.
"""
csrf = app.extensions.get("csrf")
assert csrf is not None, "CSRFProtect extension not initialized"
exempt_names = {bp.name for bp in csrf._exempt_blueprints}
# api_v1 should be exempt (programmatic REST API)
assert "api_v1" in exempt_names, (
"Blueprint 'api_v1' missing from _exempt_blueprints. "
"Ensure csrf.exempt() receives the Blueprint object, not a string."
)
# Browser-facing blueprints should NOT be exempt
for should_not_be_exempt in ("api", "benchmark", "research"):
assert should_not_be_exempt not in exempt_names, (
f"Blueprint '{should_not_be_exempt}' should not be in "
f"_exempt_blueprints — it is browser-facing and the frontend "
f"already sends CSRF tokens."
)