test(csrf): update test suite for session-bound CSRF tokens

- Add CSRF fixtures to conftest.py for pre-auth and session CSRF - Update test_wizard.py: use bypass_pre_auth_csrf and patch_route_settings - Update test_adapters.py: set request.state.csrf_token and form mock data - Update test_api_keys.py: add CSRF token to form data for POST routes - Update test_streams.py: change return_value to side_effect for CSRF support - Update test_region_picker.py: add CSRF token handling - Update test_config_store.py: set CENTRAL_CSRF_SECRET env var in fixture All 285 tests now pass with session-bound CSRF validation. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-05-22 18:44:40 +02:00 · 2026-05-18 03:47:58 +00:00 · 2026-05-18 03:47:58 +00:00 · 890d1a1006
commit 890d1a1006
parent c317c9ab01
7 changed files with 238 additions and 298 deletions
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -48,3 +48,49 @@ def mock_conn():
    conn.fetchval = AsyncMock()
    conn.execute = AsyncMock()
    return conn
+
+
+# CSRF fixtures for route tests
+
+@pytest.fixture
+def bypass_pre_auth_csrf():
+    """Patch pre-auth CSRF validation to always pass.
+    
+    Use for tests of pre-auth routes: /login, /setup/operator
+    """
+    with patch("central.gui.routes.validate_pre_auth_csrf", return_value=True):
+        with patch("central.gui.routes.generate_pre_auth_csrf", return_value=("test_csrf_token", "test_signed_token")):
+            yield
+
+
+@pytest.fixture
+def bypass_session_csrf():
+    """Create a mock request with session CSRF properly configured.
+    
+    Use for tests of authenticated routes that check request.state.csrf_token.
+    Returns a configured mock_request.
+    """
+    request = MagicMock()
+    request.state.csrf_token = "test_csrf_token_12345"
+    request.state.operator = MagicMock()
+    request.state.operator.id = 1
+    request.state.operator.username = "testuser"
+    
+    # Mock form() to return dict with matching CSRF token
+    form_data = {"csrf_token": "test_csrf_token_12345"}
+    
+    async def mock_form():
+        return form_data
+    
+    request.form = mock_form
+    request._form_data = form_data  # Allow tests to modify form data
+    
+    return request
+
+
+@pytest.fixture
+def patch_route_settings():
+    """Patch get_settings in routes module."""
+    with patch("central.gui.routes.get_settings") as mock:
+        mock.return_value.csrf_secret = "test-csrf-secret-for-testing-only-32chars"
+        yield mock