;; Safsaf, a Guile web framework
;; Copyright (C) 2026  Christopher Baines <mail@cbaines.net>

;; This program is free software: you can redistribute it and/or
;; modify it under the terms of the GNU Lesser General Public License
;; as published by the Free Software Foundation, either version 3 of
;; the License, or (at your option) any later version.
;;
;; This program is distributed in the hope that it will be useful, but
;; WITHOUT ANY WARRANTY; without even the implied warranty of
;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
;; Lesser General Public License for more details.
;;
;; You should have received a copy of the GNU Lesser General Public
;; License along with this program.  If not, see
;; <https://www.gnu.org/licenses/>.

;;; test-csrf-validation.scm — Tests for CSRF integration in (safsaf params)
;;;                             and (safsaf handler-wrappers csrf)

(use-modules (tests support)
             (safsaf params)
             (safsaf handler-wrappers csrf))

(define-suite csrf-validation-tests

  (suite "csrf"

    (test "csrf-token-field produces sxml"
      (parameterize ((current-csrf-token "abc123"))
        (let ((field (csrf-token-field)))
          (is (pair? field))
          (is (eq? 'input (car field))))))

    (test "parse-form-params checks csrf"
      (parameterize ((current-csrf-token "tok123"))
        (let ((result (parse-form-params '()
				     '(("csrf-token" . "tok123")))))
          (is (not (any-invalid-params? result))))
        (let ((result (parse-form-params '()
				     '(("csrf-token" . "wrong")))))
          (is (any-invalid-params? result)))))

    (test "parse-form-params csrf missing"
      (parameterize ((current-csrf-token "tok123"))
        (let ((result (parse-form-params '() '())))
          (is (any-invalid-params? result)))))

    (test "parse-form-params validates other fields too"
      (parameterize ((current-csrf-token "tok123"))
        (let ((result (parse-form-params
                        `((name ,as-string #:required))
                        '(("csrf-token" . "tok123") ("name" . "Alice")))))
          (is (not (any-invalid-params? result)))
          (is (equal? "Alice" (assq-ref result 'name))))))

    (test "parse-form-params field errors with valid csrf"
      (parameterize ((current-csrf-token "tok123"))
        (let ((result (parse-form-params
                        `((name ,as-string #:required))
                        '(("csrf-token" . "tok123")))))
          (is (any-invalid-params? result))
          (is (invalid-param? (assq-ref result 'name))))))))

(run-tests csrf-validation-tests)