From b260159d28fcf19bfb4d27a3340d7a2f5ab63d8b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 29 May 2026 13:48:13 +0000 Subject: [PATCH 1/2] Add independent CSRF test subsystem --- io.github.cl-sdk.wst.session.csrf.test.asd | 10 +++++ io.github.cl-sdk.wst.test.asd | 1 + t/session-csrf-tests.lisp | 48 ++++++++++++++++++++++ 3 files changed, 59 insertions(+) create mode 100644 io.github.cl-sdk.wst.session.csrf.test.asd create mode 100644 t/session-csrf-tests.lisp diff --git a/io.github.cl-sdk.wst.session.csrf.test.asd b/io.github.cl-sdk.wst.session.csrf.test.asd new file mode 100644 index 0000000..f3c4fc9 --- /dev/null +++ b/io.github.cl-sdk.wst.session.csrf.test.asd @@ -0,0 +1,10 @@ +(asdf:defsystem #:io.github.cl-sdk.wst.session.csrf.test + :description "Tests for io.github.cl-sdk.wst.session.csrf." + :author "Bruno Dias" + :license "Unlicense" + :version "0.1.0" + :depends-on (#:io.github.cl-sdk.wst.test.support + #:io.github.cl-sdk.wst.session.csrf) + :pathname "t" + :serial t + :components ((:file "session-csrf-tests"))) diff --git a/io.github.cl-sdk.wst.test.asd b/io.github.cl-sdk.wst.test.asd index 37edc66..8b52b93 100644 --- a/io.github.cl-sdk.wst.test.asd +++ b/io.github.cl-sdk.wst.test.asd @@ -17,6 +17,7 @@ #:io.github.cl-sdk.wst.routing.response.dsl.test #:io.github.cl-sdk.wst.routing.test #:io.github.cl-sdk.wst.routing.woo.test + #:io.github.cl-sdk.wst.session.csrf.test #:io.github.cl-sdk.wst.session.sqlite.test #:io.github.cl-sdk.wst.trace-context.routing.test #:io.github.cl-sdk.wst.trace-context.test)) diff --git a/t/session-csrf-tests.lisp b/t/session-csrf-tests.lisp new file mode 100644 index 0000000..9a217df --- /dev/null +++ b/t/session-csrf-tests.lisp @@ -0,0 +1,48 @@ +(in-package :io.github.cl-sdk.wst.test) + +(5am:def-suite wst.session-csrf.suite + :description "Tests for the wst.session.csrf package.") + +(5am:in-suite wst.session-csrf.suite) + +(defclass test-csrf-context () + ((csrf-token :initform nil + :accessor test-csrf-context-token))) + +(defmethod io.github.cl-sdk.wst.session.csrf:session-csrf-token ((obj test-csrf-context) &key &allow-other-keys) + (test-csrf-context-token obj)) + +(defmethod io.github.cl-sdk.wst.session.csrf:add-session-csrf-token ((obj test-csrf-context) key &key &allow-other-keys) + (setf (test-csrf-context-token obj) key)) + +(defmethod io.github.cl-sdk.wst.session.csrf:remove-session-csrf-token ((obj test-csrf-context) &key &allow-other-keys) + (setf (test-csrf-context-token obj) nil)) + +(defmethod io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token ((obj test-csrf-context) key &key &allow-other-keys) + (let ((stored (test-csrf-context-token obj))) + (and stored key (string= stored key)))) + +(5am:def-test session-csrf-token-lifecycle () + (let ((context (make-instance 'test-csrf-context))) + (5am:is-false (io.github.cl-sdk.wst.session.csrf:session-csrf-token context)) + (5am:is-false (io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token context "csrf-1")) + + (5am:is (string= "csrf-1" + (io.github.cl-sdk.wst.session.csrf:add-session-csrf-token context "csrf-1"))) + (5am:is (string= "csrf-1" + (io.github.cl-sdk.wst.session.csrf:session-csrf-token context))) + (5am:is-true (io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token context "csrf-1")) + (5am:is-false (io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token context "csrf-2")) + + (5am:is-false (io.github.cl-sdk.wst.session.csrf:remove-session-csrf-token context)) + (5am:is-false (io.github.cl-sdk.wst.session.csrf:session-csrf-token context)) + (5am:is-false (io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token context "csrf-1")))) + +(5am:def-test session-csrf-token-can-be-replaced () + (let ((context (make-instance 'test-csrf-context))) + (io.github.cl-sdk.wst.session.csrf:add-session-csrf-token context "csrf-old") + (5am:is-true (io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token context "csrf-old")) + + (io.github.cl-sdk.wst.session.csrf:add-session-csrf-token context "csrf-new") + (5am:is-false (io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token context "csrf-old")) + (5am:is-true (io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token context "csrf-new")))) From f18d4b2e4fa52b9337198c323edc8bdc00ccece5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 29 May 2026 14:04:11 +0000 Subject: [PATCH 2/2] Use dedicated package for CSRF tests --- t/session-csrf-tests.lisp | 45 +++++++++++++++++++++------------------ 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/t/session-csrf-tests.lisp b/t/session-csrf-tests.lisp index 9a217df..49c54c7 100644 --- a/t/session-csrf-tests.lisp +++ b/t/session-csrf-tests.lisp @@ -1,48 +1,51 @@ -(in-package :io.github.cl-sdk.wst.test) +(defpackage #:io.github.cl-sdk.wst.session.csrf.test + (:use #:cl #:fiveam #:io.github.cl-sdk.wst.session.csrf)) -(5am:def-suite wst.session-csrf.suite +(in-package #:io.github.cl-sdk.wst.session.csrf.test) + +(def-suite session-csrf-suite :description "Tests for the wst.session.csrf package.") -(5am:in-suite wst.session-csrf.suite) +(in-suite session-csrf-suite) (defclass test-csrf-context () ((csrf-token :initform nil :accessor test-csrf-context-token))) -(defmethod io.github.cl-sdk.wst.session.csrf:session-csrf-token ((obj test-csrf-context) &key &allow-other-keys) +(defmethod session-csrf-token ((obj test-csrf-context) &key &allow-other-keys) (test-csrf-context-token obj)) -(defmethod io.github.cl-sdk.wst.session.csrf:add-session-csrf-token ((obj test-csrf-context) key &key &allow-other-keys) +(defmethod add-session-csrf-token ((obj test-csrf-context) key &key &allow-other-keys) (setf (test-csrf-context-token obj) key)) -(defmethod io.github.cl-sdk.wst.session.csrf:remove-session-csrf-token ((obj test-csrf-context) &key &allow-other-keys) +(defmethod remove-session-csrf-token ((obj test-csrf-context) &key &allow-other-keys) (setf (test-csrf-context-token obj) nil)) -(defmethod io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token ((obj test-csrf-context) key &key &allow-other-keys) +(defmethod verify-session-csrf-token ((obj test-csrf-context) key &key &allow-other-keys) (let ((stored (test-csrf-context-token obj))) (and stored key (string= stored key)))) (5am:def-test session-csrf-token-lifecycle () (let ((context (make-instance 'test-csrf-context))) - (5am:is-false (io.github.cl-sdk.wst.session.csrf:session-csrf-token context)) - (5am:is-false (io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token context "csrf-1")) + (5am:is-false (session-csrf-token context)) + (5am:is-false (verify-session-csrf-token context "csrf-1")) (5am:is (string= "csrf-1" - (io.github.cl-sdk.wst.session.csrf:add-session-csrf-token context "csrf-1"))) + (add-session-csrf-token context "csrf-1"))) (5am:is (string= "csrf-1" - (io.github.cl-sdk.wst.session.csrf:session-csrf-token context))) - (5am:is-true (io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token context "csrf-1")) - (5am:is-false (io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token context "csrf-2")) + (session-csrf-token context))) + (5am:is-true (verify-session-csrf-token context "csrf-1")) + (5am:is-false (verify-session-csrf-token context "csrf-2")) - (5am:is-false (io.github.cl-sdk.wst.session.csrf:remove-session-csrf-token context)) - (5am:is-false (io.github.cl-sdk.wst.session.csrf:session-csrf-token context)) - (5am:is-false (io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token context "csrf-1")))) + (5am:is-false (remove-session-csrf-token context)) + (5am:is-false (session-csrf-token context)) + (5am:is-false (verify-session-csrf-token context "csrf-1")))) (5am:def-test session-csrf-token-can-be-replaced () (let ((context (make-instance 'test-csrf-context))) - (io.github.cl-sdk.wst.session.csrf:add-session-csrf-token context "csrf-old") - (5am:is-true (io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token context "csrf-old")) + (add-session-csrf-token context "csrf-old") + (5am:is-true (verify-session-csrf-token context "csrf-old")) - (io.github.cl-sdk.wst.session.csrf:add-session-csrf-token context "csrf-new") - (5am:is-false (io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token context "csrf-old")) - (5am:is-true (io.github.cl-sdk.wst.session.csrf:verify-session-csrf-token context "csrf-new")))) + (add-session-csrf-token context "csrf-new") + (5am:is-false (verify-session-csrf-token context "csrf-old")) + (5am:is-true (verify-session-csrf-token context "csrf-new"))))