test: post to protected endpoint expecting fails

Author: aekasitt

tests/cookie_body.py

@@ -77,6 +77,45 @@ def get_configs():
   assert response.json() == {"detail": "Missing Cookie: `fastapi-csrf-token`."}
 
 
+@mark.parametrize(
+  "csrf_settings",
+  (
+    (
+      ("cookie_secure", True),
+      ("secret_key", "secret"),
+      ("token_key", "csrf-token"),
+      ("token_location", "body"),
+    ),
+  ),
+)
+def test_submit_csrf_token_in_body_and_cookies_secure_but_using_http(
+  csrf_settings: Tuple[Tuple[str, str], ...], test_client: TestClient
+):
+  ### Load config ###
+  @CsrfProtect.load_config
+  def get_configs():
+    return csrf_settings
+
+  ### Generate token ###
+  response = test_client.get("/gen-token")
+  assert response.status_code == 200
+
+  ### Asserts that `cookie_token` is present
+  cookie_token: Optional[str] = test_client.cookies.get("fastapi-csrf-token", None)
+  assert cookie_token is not None
+
+  ### Extract `csrf_token` from response to be set as next request's body ###
+  csrf_token: Optional[str] = response.json().get("csrf_token", None)
+  payload: Dict[str, str] = {"csrf-token": csrf_token} if csrf_token is not None else {}
+
+  ### Post to protected endpoint but fails because TestClients defaults to http ###
+  response = test_client.post("/protected", data=payload)
+
+  ### Assertions ###
+  assert response.status_code == 400
+  assert response.json() == {"detail": "Missing Cookie: `fastapi-csrf-token`."}
+
+
 @mark.parametrize(
   "csrf_settings",
   (

tests/cookie_header.py

@@ -78,6 +78,44 @@ def get_configs():
   assert response.json() == {"detail": "Missing Cookie: `fastapi-csrf-token`."}
 
 
+@mark.parametrize(
+  "csrf_settings",
+  (
+    (
+      ("cookie_secure", True),
+      ("secret_key", "secret"),
+      ("token_location", "header"),
+    ),
+  ),
+)
+def test_submit_csrf_token_in_headers_and_cookies_secure_but_using_http(
+  csrf_settings: Tuple[Tuple[str, str], ...], test_client: TestClient
+):
+  ### Load config ###
+  @CsrfProtect.load_config
+  def get_configs():
+    return csrf_settings
+
+  ### Generate token ###
+  response = test_client.get("/gen-token")
+  assert response.status_code == 200
+
+  ### Asserts that `cookie_token` is present
+  cookie_token: Optional[str] = test_client.cookies.get("fastapi-csrf-token", None)
+  assert cookie_token is not None
+
+  ### Extract `csrf_token` from response to be set as next request's body ###
+  csrf_token: Optional[str] = response.json().get("csrf_token", None)
+  payload: Dict[str, str] = {"csrf-token": csrf_token} if csrf_token is not None else {}
+
+  ### Post to protected endpoint but fails because TestClients defaults to http ###
+  response = test_client.post("/protected", data=payload)
+
+  ### Assertions ###
+  assert response.status_code == 400
+  assert response.json() == {"detail": "Missing Cookie: `fastapi-csrf-token`."}
+
+
 @mark.parametrize(
   "csrf_settings",
   (