GameList/GameList.Tests/MiddlewareTests.cs

using System.Net;
using System.Net.Http.Json;
using System.Text.Json;
using GameList.Tests.Support;

namespace GameList.Tests;

public class MiddlewareTests
{
    [Fact]
    public async Task Deleted_player_cookie_is_signed_out()
    {
        await using var factory = new TestWebApplicationFactory();
        var client = factory.CreateClientWithCookies();
        await client.RegisterAsync("ghost");

        var playerId = await client.GetProfileIdAsync();

        await factory.WithDbContextAsync(async db =>
        {
            var player = await db.Players.FindAsync(playerId);
            db.Players.Remove(player!);
            await db.SaveChangesAsync();
        });

        var resp = await client.GetAsync("/api/state");
        Assert.Equal(HttpStatusCode.Unauthorized, resp.StatusCode);
        Assert.Contains(resp.Headers, h => h.Key.Equals("Set-Cookie", StringComparison.OrdinalIgnoreCase));
    }

    [Fact]
    public async Task Existing_player_passes_through_middleware()
    {
        await using var factory = new TestWebApplicationFactory();
        var client = factory.CreateClientWithCookies();
        await client.RegisterAsync("live");

        var resp = await client.GetAsync("/api/state");
        Assert.Equal(HttpStatusCode.OK, resp.StatusCode);
    }

    [Fact]
    public async Task Mutating_authenticated_request_without_origin_is_rejected()
    {
        await using var factory = new TestWebApplicationFactory();
        var client = factory.CreateClientWithCookies();
        var register = await client.RegisterAsync("csrfm");
        register.EnsureSuccessStatusCode();
        await client.CreateSuggestionAsync("Seed");
        await client.PostAsJsonAsync("/api/me/phase/next", new { });

        client.DefaultRequestHeaders.Remove("Origin");

        var response = await client.PostAsJsonAsync("/api/votes/finalize", new
        {
            Final = true
        });

        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
        var body = await response.Content.ReadFromJsonAsync<JsonElement>();
        Assert.Equal("CSRF validation failed.", body.GetProperty("error").GetString());
    }

    [Fact]
    public async Task Mutating_authenticated_request_with_cross_origin_is_rejected()
    {
        await using var factory = new TestWebApplicationFactory();
        var client = factory.CreateClientWithCookies();
        var register = await client.RegisterAsync("csrfx");
        register.EnsureSuccessStatusCode();
        await client.CreateSuggestionAsync("Seed");
        await client.PostAsJsonAsync("/api/me/phase/next", new { });

        client.DefaultRequestHeaders.Remove("Origin");
        client.DefaultRequestHeaders.TryAddWithoutValidation("Origin", "https://evil.example");

        var response = await client.PostAsJsonAsync("/api/votes/finalize", new
        {
            Final = true
        });

        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
        var body = await response.Content.ReadFromJsonAsync<JsonElement>();
        Assert.Equal("CSRF validation failed.", body.GetProperty("error").GetString());
    }
}