Christopher Baines
5b0e6397dc
All checks were successful
/ test (push) Successful in 9s
Safsaf is a Guile web framework, written using Claude Code running Claude Opus 4.6, based off of the Guix Data Service, Nar Herder and Guix Build Coordinator codebases.
65 lines
2.6 KiB
Scheme
65 lines
2.6 KiB
Scheme
;; Safsaf, a Guile web framework
|
|
;; Copyright (C) 2026 Christopher Baines <mail@cbaines.net>
|
|
|
|
;; This program is free software: you can redistribute it and/or
|
|
;; modify it under the terms of the GNU Lesser General Public License
|
|
;; as published by the Free Software Foundation, either version 3 of
|
|
;; the License, or (at your option) any later version.
|
|
;;
|
|
;; This program is distributed in the hope that it will be useful, but
|
|
;; WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
;; Lesser General Public License for more details.
|
|
;;
|
|
;; You should have received a copy of the GNU Lesser General Public
|
|
;; License along with this program. If not, see
|
|
;; <https://www.gnu.org/licenses/>.
|
|
|
|
;;; test-csrf-validation.scm — Tests for CSRF integration in (safsaf params)
|
|
;;; and (safsaf handler-wrappers csrf)
|
|
|
|
(use-modules (tests support)
|
|
(safsaf params)
|
|
(safsaf handler-wrappers csrf))
|
|
|
|
(define-suite csrf-validation-tests
|
|
|
|
(suite "csrf"
|
|
|
|
(test "csrf-token-field produces sxml"
|
|
(parameterize ((current-csrf-token "abc123"))
|
|
(let ((field (csrf-token-field)))
|
|
(is (pair? field))
|
|
(is (eq? 'input (car field))))))
|
|
|
|
(test "parse-form-params checks csrf"
|
|
(parameterize ((current-csrf-token "tok123"))
|
|
(let ((result (parse-form-params '()
|
|
'(("csrf-token" . "tok123")))))
|
|
(is (not (any-invalid-params? result))))
|
|
(let ((result (parse-form-params '()
|
|
'(("csrf-token" . "wrong")))))
|
|
(is (any-invalid-params? result)))))
|
|
|
|
(test "parse-form-params csrf missing"
|
|
(parameterize ((current-csrf-token "tok123"))
|
|
(let ((result (parse-form-params '() '())))
|
|
(is (any-invalid-params? result)))))
|
|
|
|
(test "parse-form-params validates other fields too"
|
|
(parameterize ((current-csrf-token "tok123"))
|
|
(let ((result (parse-form-params
|
|
`((name ,as-string #:required))
|
|
'(("csrf-token" . "tok123") ("name" . "Alice")))))
|
|
(is (not (any-invalid-params? result)))
|
|
(is (equal? "Alice" (assq-ref result 'name))))))
|
|
|
|
(test "parse-form-params field errors with valid csrf"
|
|
(parameterize ((current-csrf-token "tok123"))
|
|
(let ((result (parse-form-params
|
|
`((name ,as-string #:required))
|
|
'(("csrf-token" . "tok123")))))
|
|
(is (any-invalid-params? result))
|
|
(is (invalid-param? (assq-ref result 'name))))))))
|
|
|
|
(run-tests csrf-validation-tests)
|