Files
wehub-resource-sync 7a0da7932b
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Has been cancelled
Docker Tests (Consolidated) / Accessibility Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Unit Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Example Tests (push) Has been cancelled
Docker Tests (Consolidated) / Production Image Smoke Test (push) Has been cancelled
Docker Tests (Consolidated) / Infrastructure Tests (push) Has been cancelled
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Has been cancelled
Backwards Compatibility / Verify Encryption Constants (push) Has been cancelled
Backwards Compatibility / PyPI Version Compatibility (push) Has been cancelled
Backwards Compatibility / Database Migration Tests (push) Has been cancelled
CodeQL Advanced / Analyze (python) (push) Has been cancelled
Docker Tests (Consolidated) / detect-changes (push) Has been cancelled
Docker Tests (Consolidated) / Build Test Image (push) Has been cancelled
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:08:55 +08:00

110 lines
3.8 KiB
Python

"""Test authentication without CSRF to verify CSRF protection."""
from loguru import logger
class TestWithoutCSRF:
"""Test that authentication properly requires CSRF tokens."""
def test_login_without_csrf_protection(self, app):
"""Test login behavior when CSRF protection is disabled."""
# Temporarily disable CSRF for this test
app.config["WTF_CSRF_ENABLED"] = False
client = app.test_client()
# Register user
register_data = {
"username": "testuser_nocsrf",
"password": "TestPass123",
"confirm_password": "TestPass123",
"acknowledge": "true",
}
client.post("/auth/register", data=register_data)
# Try login without CSRF token
login_data = {
"username": "testuser_nocsrf",
"password": "TestPass123",
}
# Direct POST without getting the login page first
response = client.post(
"/auth/login", data=login_data, follow_redirects=False
)
logger.info(
f"POST /auth/login (CSRF disabled) -> {response.status_code}"
)
# With CSRF disabled, login should work
assert response.status_code == 302
logger.info("✅ Login worked with CSRF disabled!")
# Re-enable CSRF
app.config["WTF_CSRF_ENABLED"] = True
def test_login_requires_csrf_by_default(self, app):
"""Test that login requires CSRF token when enabled."""
# Create a new client with CSRF enabled
app.config["WTF_CSRF_ENABLED"] = True
client = app.test_client()
# Try login without CSRF token (CSRF should be enabled)
login_data = {"username": "testuser", "password": "TestPass123"}
# Direct POST without CSRF token
response = client.post(
"/auth/login", data=login_data, follow_redirects=False
)
logger.info(
f"POST /auth/login (no CSRF token) -> {response.status_code}"
)
# Should fail because CSRF token is missing
assert response.status_code != 302 # Should not redirect on success
logger.info("✅ Login correctly requires CSRF token!")
def test_api_endpoints_without_csrf(self, authenticated_client):
"""Test that API endpoints work without CSRF for authenticated users."""
# API endpoints typically don't require CSRF for GET requests
endpoints = [
"/settings/api",
"/history/api",
"/metrics/api/cost-analytics",
]
for endpoint in endpoints:
response = authenticated_client.get(endpoint)
assert response.status_code == 200
logger.info(f"✅ GET {endpoint} works without CSRF token")
def test_post_api_without_csrf(self, authenticated_client):
"""Test that POST API endpoints properly handle CSRF."""
# Try to start research without CSRF token
# audit: PUNCHLIST reviewed 2026-05 — issue resolved by prior PR (recommendation: FIX_ASSERTION).
research_data = {"query": "test query", "mode": "quick"}
# POST without CSRF should fail unless endpoint is exempt
response = authenticated_client.post(
"/api/start_research",
json=research_data, # JSON requests typically bypass CSRF
content_type="application/json",
)
# JSON API endpoints often bypass CSRF protection
logger.info(
f"POST /api/start_research (JSON) -> {response.status_code}"
)
# Form POST without CSRF should fail
response = authenticated_client.post(
"/api/start_research",
data=research_data, # Form data should require CSRF
follow_redirects=False,
)
logger.info(
f"POST /api/start_research (form data, no CSRF) -> {response.status_code}"
)