Kharec/goyco
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: add integration test for CSRF cookie-only bypass

Browse Source
This commit is contained in:
Sandro CURY CAZZANIGA
2025-12-26 17:29:51 +01:00
parent fc23cbd6fd
commit 5477bbf0a7
1 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
internal/integration/csrf_integration_test.go
View File

@@ -174,4 +174,28 @@ func TestIntegration_CSRF_Protection(t *testing.T) {
t.Error("Expected post creation with valid CSRF token to succeed")
}
})
t.Run("CSRF_Blocks_Request_With_Only_Cookie", func(t *testing.T) {
csrfCookie := getCSRFToken(t, "/register")
requestBody := url.Values{}
requestBody.Set("username", "cookie_only_user")
requestBody.Set("email", "cookie_only@example.com")
requestBody.Set("password", "SecurePass123!")
request := httptest.NewRequest("POST", "/register", strings.NewReader(requestBody.Encode()))
request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
request.AddCookie(csrfCookie)
recorder := httptest.NewRecorder()
router.ServeHTTP(recorder, request)
if recorder.Code != http.StatusForbidden {
t.Errorf("Expected status 403 for request with only cookie (no form/header token), got %d. Body: %s", recorder.Code, recorder.Body.String())
}
if !strings.Contains(recorder.Body.String(), "Invalid CSRF token") {
t.Error("Expected CSRF error message")
}
})
}