7a0da7932b
Backwards Compatibility / Verify Encryption Constants (push) Waiting to run
Backwards Compatibility / PyPI Version Compatibility (push) Waiting to run
Backwards Compatibility / Database Migration Tests (push) Waiting to run
CodeQL Advanced / Analyze (javascript-typescript) (push) Waiting to run
CodeQL Advanced / Analyze (python) (push) Waiting to run
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Blocked by required conditions
Docker Tests (Consolidated) / detect-changes (push) Waiting to run
Docker Tests (Consolidated) / Build Test Image (push) Waiting to run
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Blocked by required conditions
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Blocked by required conditions
Docker Tests (Consolidated) / Accessibility Tests (push) Blocked by required conditions
Docker Tests (Consolidated) / LLM Unit Tests (push) Blocked by required conditions
Docker Tests (Consolidated) / LLM Example Tests (push) Blocked by required conditions
Docker Tests (Consolidated) / Production Image Smoke Test (push) Blocked by required conditions
Docker Tests (Consolidated) / Infrastructure Tests (push) Blocked by required conditions
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Waiting to run
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
189 lines
6.9 KiB
Python
189 lines
6.9 KiB
Python
"""Test with proper CSRF handling."""
|
|
|
|
import re
|
|
import time
|
|
from loguru import logger
|
|
|
|
|
|
class TestProperCSRF:
|
|
"""Test authentication with proper CSRF token handling."""
|
|
|
|
def test_login_with_csrf(self, client):
|
|
"""Test login with proper CSRF token."""
|
|
# Step 1: Get the login page to establish session and get CSRF token
|
|
# audit: PUNCHLIST reviewed 2026-05 — issue resolved by prior PR (recommendation: REFACTOR_SPLIT).
|
|
logger.info("Step 1: Getting login page...")
|
|
response = client.get("/auth/login")
|
|
assert response.status_code == 200
|
|
logger.info(f"GET /auth/login -> {response.status_code}")
|
|
|
|
# Extract CSRF token from the form
|
|
csrf_match = re.search(
|
|
r'name="csrf_token" value="([^"]+)"', response.data.decode()
|
|
)
|
|
assert csrf_match is not None, "Could not find CSRF token in login page"
|
|
|
|
csrf_token = csrf_match.group(1)
|
|
logger.info(f"CSRF token extracted: {csrf_token[:20]}...")
|
|
|
|
# Create unique test username to avoid conflicts
|
|
test_username = f"testuser_csrf_{int(time.time() * 1000)}"
|
|
test_password = "TestPass123"
|
|
|
|
# Register user first
|
|
register_data = {
|
|
"username": test_username,
|
|
"password": test_password,
|
|
"confirm_password": test_password,
|
|
"acknowledge": "true",
|
|
"csrf_token": csrf_token,
|
|
}
|
|
register_response = client.post(
|
|
"/auth/register", data=register_data, follow_redirects=False
|
|
)
|
|
logger.info(
|
|
f"Register response status: {register_response.status_code}"
|
|
)
|
|
|
|
# After registration, check if we were redirected and handle accordingly
|
|
if register_response.status_code == 302:
|
|
# We might be auto-logged in after registration, so go directly to auth check
|
|
response = client.get("/auth/check")
|
|
if response.status_code == 200:
|
|
data = response.get_json()
|
|
if data.get("authenticated") is True:
|
|
logger.info(
|
|
"✅ User auto-authenticated after registration!"
|
|
)
|
|
logger.info(f"Auth check: {data}")
|
|
return
|
|
|
|
# Get fresh CSRF token for login
|
|
response = client.get("/auth/login")
|
|
logger.info(
|
|
f"Login page status after registration: {response.status_code}"
|
|
)
|
|
|
|
# If we're redirected, we might already be logged in
|
|
if response.status_code == 302:
|
|
response = client.get("/auth/check")
|
|
if response.status_code == 200:
|
|
data = response.get_json()
|
|
if data.get("authenticated") is True:
|
|
logger.info("✅ User already authenticated!")
|
|
logger.info(f"Auth check: {data}")
|
|
return
|
|
|
|
csrf_match = re.search(
|
|
r'name="csrf_token" value="([^"]+)"', response.data.decode()
|
|
)
|
|
assert csrf_match is not None, (
|
|
f"Could not find CSRF token in login page after registration. Status: {response.status_code}, Content preview: {response.data.decode()[:200]}"
|
|
)
|
|
csrf_token = csrf_match.group(1)
|
|
|
|
# Step 2: Submit login form with CSRF token
|
|
login_data = {
|
|
"username": test_username,
|
|
"password": test_password,
|
|
"csrf_token": csrf_token,
|
|
}
|
|
|
|
logger.info("Step 2: Submitting login form...")
|
|
response = client.post(
|
|
"/auth/login",
|
|
data=login_data,
|
|
headers={
|
|
"Referer": "http://localhost/auth/login"
|
|
}, # Some CSRF checks require referer
|
|
follow_redirects=False,
|
|
)
|
|
|
|
logger.info(f"POST /auth/login -> {response.status_code}")
|
|
|
|
assert response.status_code == 302, "Login should redirect on success"
|
|
logger.info("✅ Login successful!")
|
|
|
|
# Step 3: Follow redirect and test authenticated access
|
|
location = response.headers.get("Location", "/")
|
|
response = client.get(location)
|
|
logger.info(f"GET {location} -> {response.status_code}")
|
|
assert response.status_code == 200
|
|
|
|
# Test auth check
|
|
response = client.get("/auth/check")
|
|
logger.info(f"GET /auth/check -> {response.status_code}")
|
|
assert response.status_code == 200
|
|
|
|
data = response.get_json()
|
|
logger.info(f"Auth check: {data}")
|
|
assert data.get("authenticated") is True
|
|
logger.info("✅ Authentication test passed!")
|
|
|
|
def test_login_without_csrf(self, app):
|
|
"""Test that login fails without CSRF token."""
|
|
# Enable CSRF for this test
|
|
app.config["WTF_CSRF_ENABLED"] = True
|
|
client = app.test_client()
|
|
|
|
# Try to login without CSRF token
|
|
login_data = {
|
|
"username": "testuser",
|
|
"password": "TestPass123",
|
|
# No csrf_token
|
|
}
|
|
|
|
response = client.post(
|
|
"/auth/login", data=login_data, follow_redirects=False
|
|
)
|
|
|
|
# Should fail due to missing CSRF token
|
|
assert response.status_code != 302 # Should not redirect (success)
|
|
logger.info("✅ Login correctly rejected without CSRF token")
|
|
|
|
def test_login_with_invalid_csrf(self, app):
|
|
"""Test that login fails with invalid CSRF token."""
|
|
# Enable CSRF for this test
|
|
app.config["WTF_CSRF_ENABLED"] = True
|
|
client = app.test_client()
|
|
|
|
# Get login page
|
|
response = client.get("/auth/login")
|
|
assert response.status_code == 200
|
|
|
|
# Use an invalid CSRF token
|
|
login_data = {
|
|
"username": "testuser",
|
|
"password": "TestPass123",
|
|
"csrf_token": "invalid_token_12345",
|
|
}
|
|
|
|
response = client.post(
|
|
"/auth/login", data=login_data, follow_redirects=False
|
|
)
|
|
|
|
# Should fail due to invalid CSRF token
|
|
assert response.status_code != 302 # Should not redirect (success)
|
|
logger.info("✅ Login correctly rejected with invalid CSRF token")
|
|
|
|
def test_csrf_token_rotation(self, client):
|
|
"""Test that CSRF tokens are rotated between requests."""
|
|
# Get first CSRF token
|
|
response = client.get("/auth/login")
|
|
csrf_match1 = re.search(
|
|
r'name="csrf_token" value="([^"]+)"', response.data.decode()
|
|
)
|
|
csrf_token1 = csrf_match1.group(1) if csrf_match1 else None
|
|
|
|
# Get second CSRF token
|
|
response = client.get("/auth/login")
|
|
csrf_match2 = re.search(
|
|
r'name="csrf_token" value="([^"]+)"', response.data.decode()
|
|
)
|
|
csrf_token2 = csrf_match2.group(1) if csrf_match2 else None
|
|
|
|
# Tokens should be different (rotation) or at least valid
|
|
assert csrf_token1 is not None
|
|
assert csrf_token2 is not None
|
|
logger.info("✅ CSRF tokens are properly generated")
|