safsaf/tests/test-csrf-validation.scm

;; Safsaf, a Guile web framework
;; Copyright (C) 2026  Christopher Baines <mail@cbaines.net>

;; This program is free software: you can redistribute it and/or
;; modify it under the terms of the GNU Lesser General Public License
;; as published by the Free Software Foundation, either version 3 of
;; the License, or (at your option) any later version.
;;
;; This program is distributed in the hope that it will be useful, but
;; WITHOUT ANY WARRANTY; without even the implied warranty of
;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
;; Lesser General Public License for more details.
;;
;; You should have received a copy of the GNU Lesser General Public
;; License along with this program.  If not, see
;; <https://www.gnu.org/licenses/>.

;;; test-csrf-validation.scm — Tests for CSRF integration in (safsaf params)
;;;                             and (safsaf handler-wrappers csrf)

(use-modules (tests support)
             (safsaf params)
             (safsaf handler-wrappers csrf))

(define-suite csrf-validation-tests

  (suite "csrf"

    (test "csrf-token-field produces sxml"
      (parameterize ((current-csrf-token "abc123"))
        (let ((field (csrf-token-field)))
          (is (pair? field))
          (is (eq? 'input (car field))))))

    (test "parse-form-params checks csrf"
      (parameterize ((current-csrf-token "tok123"))
        (let ((result (parse-form-params '()
				     '(("csrf-token" . "tok123")))))
          (is (not (any-invalid-params? result))))
        (let ((result (parse-form-params '()
				     '(("csrf-token" . "wrong")))))
          (is (any-invalid-params? result)))))

    (test "parse-form-params csrf missing"
      (parameterize ((current-csrf-token "tok123"))
        (let ((result (parse-form-params '() '())))
          (is (any-invalid-params? result)))))

    (test "parse-form-params validates other fields too"
      (parameterize ((current-csrf-token "tok123"))
        (let ((result (parse-form-params
                        `((name ,as-string #:required))
                        '(("csrf-token" . "tok123") ("name" . "Alice")))))
          (is (not (any-invalid-params? result)))
          (is (equal? "Alice" (assq-ref result 'name))))))

    (test "parse-form-params field errors with valid csrf"
      (parameterize ((current-csrf-token "tok123"))
        (let ((result (parse-form-params
                        `((name ,as-string #:required))
                        '(("csrf-token" . "tok123")))))
          (is (any-invalid-params? result))
          (is (invalid-param? (assq-ref result 'name))))))))

(run-tests csrf-validation-tests)
Initial commit Safsaf is a Guile web framework, written using Claude Code running Claude Opus 4.6, based off of the Guix Data Service, Nar Herder and Guix Build Coordinator codebases. 2026-04-13 14:24:19 +03:00			`;; Safsaf, a Guile web framework`
			`;; Copyright (C) 2026 Christopher Baines <mail@cbaines.net>`

			`;; This program is free software: you can redistribute it and/or`
			`;; modify it under the terms of the GNU Lesser General Public License`
			`;; as published by the Free Software Foundation, either version 3 of`
			`;; the License, or (at your option) any later version.`
			`;;`
			`;; This program is distributed in the hope that it will be useful, but`
			`;; WITHOUT ANY WARRANTY; without even the implied warranty of`
			`;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`;; Lesser General Public License for more details.`
			`;;`
			`;; You should have received a copy of the GNU Lesser General Public`
			`;; License along with this program. If not, see`
			`;; <https://www.gnu.org/licenses/>.`

			`;;; test-csrf-validation.scm — Tests for CSRF integration in (safsaf params)`
			`;;; and (safsaf handler-wrappers csrf)`

			`(use-modules (tests support)`
			`(safsaf params)`
			`(safsaf handler-wrappers csrf))`

			`(define-suite csrf-validation-tests`

			`(suite "csrf"`

			`(test "csrf-token-field produces sxml"`
			`(parameterize ((current-csrf-token "abc123"))`
			`(let ((field (csrf-token-field)))`
			`(is (pair? field))`
			`(is (eq? 'input (car field))))))`

			`(test "parse-form-params checks csrf"`
			`(parameterize ((current-csrf-token "tok123"))`
			`(let ((result (parse-form-params '()`
			`'(("csrf-token" . "tok123")))))`
			`(is (not (any-invalid-params? result))))`
			`(let ((result (parse-form-params '()`
			`'(("csrf-token" . "wrong")))))`
			`(is (any-invalid-params? result)))))`

			`(test "parse-form-params csrf missing"`
			`(parameterize ((current-csrf-token "tok123"))`
			`(let ((result (parse-form-params '() '())))`
			`(is (any-invalid-params? result)))))`

			`(test "parse-form-params validates other fields too"`
			`(parameterize ((current-csrf-token "tok123"))`
			`(let ((result (parse-form-params`
			`((name ,as-string #:required))
			`'(("csrf-token" . "tok123") ("name" . "Alice")))))`
			`(is (not (any-invalid-params? result)))`
			`(is (equal? "Alice" (assq-ref result 'name))))))`

			`(test "parse-form-params field errors with valid csrf"`
			`(parameterize ((current-csrf-token "tok123"))`
			`(let ((result (parse-form-params`
			`((name ,as-string #:required))
			`'(("csrf-token" . "tok123")))))`
			`(is (any-invalid-params? result))`
			`(is (invalid-param? (assq-ref result 'name))))))))`

			`(run-tests csrf-validation-tests)`