From fc23cbd6fd3f4d5272ac5dfd7456c1116018131e Mon Sep 17 00:00:00 2001
From: Kharec <sandro@cazzaniga.fr>
Date: Fri, 26 Dec 2025 17:28:58 +0100
Subject: [PATCH] test: verify CSRF rejects requests with only cookie token

---
 internal/middleware/csrf_test.go | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/internal/middleware/csrf_test.go b/internal/middleware/csrf_test.go
index a515dd2..1b58fec 100644
--- a/internal/middleware/csrf_test.go
+++ b/internal/middleware/csrf_test.go
@@ -94,6 +94,23 @@ func TestCSRFTokenValidationMissingCookie(t *testing.T) {
 	}
 }
 
+func TestCSRFTokenValidationOnlyCookie(t *testing.T) {
+	token, err := CSRFToken()
+	if err != nil {
+		t.Fatalf("Failed to generate CSRF token: %v", err)
+	}
+
+	request := httptest.NewRequest("POST", "/test", nil)
+	request.AddCookie(&http.Cookie{
+		Name:  CSRFTokenCookieName,
+		Value: token,
+	})
+
+	if ValidateCSRFToken(request) {
+		t.Error("Request with only cookie (no form/header token) should fail validation")
+	}
+}
+
 func TestCSRFTokenValidationHeader(t *testing.T) {
 	token, err := CSRFToken()
 	if err != nil {