Kharec/goyco
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: cover CSRF skip behavior for Bearer vs cookie auth

Browse Source
This commit is contained in:
Sandro CURY CAZZANIGA
2026-04-23 13:34:51 +02:00
parent 5fc208c9da
commit 12db6409ce
1 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/middleware/csrf_test.go
+18 -2
View File
@@ -186,8 +186,9 @@ func TestCSRFMiddlewareAllowsValidToken(t *testing.T) {
} }
} }
func TestCSRFMiddlewareSkipsAPI(t *testing.T) { func TestCSRFMiddlewareSkipsAPIWithBearerToken(t *testing.T) {
request := httptest.NewRequest("POST", "/api/test", nil) request := httptest.NewRequest("POST", "/api/test", nil)
request.Header.Set("Authorization", "Bearer valid-token")
recorder := httptest.NewRecorder() recorder := httptest.NewRecorder()
handler := CSRFMiddleware()(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { handler := CSRFMiddleware()(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -197,7 +198,22 @@ func TestCSRFMiddlewareSkipsAPI(t *testing.T) {
handler.ServeHTTP(recorder, request) handler.ServeHTTP(recorder, request)
if recorder.Code != http.StatusOK { if recorder.Code != http.StatusOK {
t.Errorf("API requests should skip CSRF validation, got status %d", recorder.Code) t.Errorf("API requests with Bearer token should skip CSRF validation, got status %d", recorder.Code)
}
}
func TestCSRFMiddlewareBlocksAPIWithoutBearerToken(t *testing.T) {
request := httptest.NewRequest("POST", "/api/test", nil)
recorder := httptest.NewRecorder()
handler := CSRFMiddleware()(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
handler.ServeHTTP(recorder, request)
if recorder.Code != http.StatusForbidden {
t.Errorf("API requests without Bearer token should require CSRF validation, got status %d", recorder.Code)
} }
} }