Skip to content

🧹 chore: Improve CSRF tests coverage #3531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 20, 2025
Merged

Conversation

gaby
Copy link
Member

@gaby gaby commented Jun 20, 2025

Summary

  • add regression tests covering CSRF config cookie SameSite warnings
  • ensure deleteTokenFromStorage handles session and storage branches

@Copilot Copilot AI review requested due to automatic review settings June 20, 2025 03:02
@gaby gaby added the codex label Jun 20, 2025 — with ChatGPT Connector
@gaby gaby requested a review from a team as a code owner June 20, 2025 03:02
@gaby gaby added the codex label Jun 20, 2025
Copy link
Contributor

coderabbitai bot commented Jun 20, 2025

Walkthrough

Two new test functions were added to the CSRF middleware test suite. One checks for a warning log when using an insecure cookie configuration, and the other verifies correct deletion of CSRF tokens from both session and generic storage backends. No existing code or tests were modified.

Changes

File(s) Change Summary
middleware/csrf/csrf_test.go Added tests for cookie SameSite warning logging and token deletion from session/storage.

Sequence Diagram(s)

Loading
sequenceDiagram
    participant Test as Test Function
    participant Config as CSRF Config
    participant Logger as Logger

    Test->>Config: Create config with CookieSameSite=None
    Config->>Logger: Emit warning if extractor is cookie and SameSite=None
    Logger-->>Test: Log output captured and checked
sequenceDiagram
    participant Test as Test Function
    participant Storage as Session/Generic Storage

    Test->>Storage: Set dummy CSRF token
    Test->>Storage: Call deleteTokenFromStorage
    Storage-->>Test: Token is deleted (not retrievable)

Possibly related PRs

Suggested labels

🧹 Updates, v3

Suggested reviewers

  • sixcolors
  • efectn
  • ReneWerner87

Poem

A bunny in code-land, so clever and neat,
Adds tests for CSRF—now coverage’s complete!
With warnings for cookies and tokens erased,
The middleware’s safer, the logic well-placed.
🐇 Hopping through test-land, with logs in its sight,
Every bug chased away—oh what a delight!


📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3b2af61 and c385b2e.

📒 Files selected for processing (1)
  • middleware/csrf/csrf_test.go (2 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (8)
  • GitHub Check: Analyse
  • GitHub Check: lint
  • GitHub Check: Compare
  • GitHub Check: unit (1.24.x, macos-13)
  • GitHub Check: unit (1.24.x, macos-latest)
  • GitHub Check: unit (1.24.x, windows-latest)
  • GitHub Check: repeated
  • GitHub Check: unit (1.24.x, ubuntu-latest)
🔇 Additional comments (3)
middleware/csrf/csrf_test.go (3)

4-4: LGTM! Import additions are appropriate.

The new imports (bytes, os, and log) are necessary for the new test functionality that captures and verifies log output.

Also applies to: 7-7, 13-13


1601-1613: Excellent test implementation for CSRF cookie warning.

The test properly captures log output to verify the warning message is emitted when using SameSite=None with cookie extraction. Good use of cleanup to restore stderr and clear assertions.


1615-1639: Comprehensive test coverage for token deletion functionality.

The test effectively covers both storage scenarios (session store and generic storage) with proper setup, execution, and verification. Good use of parallel testing and proper resource cleanup.

✨ Finishing Touches
  • 📝 Generate Docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds regression tests to ensure that the CSRF middleware correctly warns when an unsupported cookie SameSite value is used and that token deletion works across both session and storage branches.

  • Added a test (Test_configDefault_WarnCookieSameSite) to verify that a warning is logged when using CookieSameSite "None".
  • Added a test (Test_deleteTokenFromStorage) that confirms token deletion functionality for both session and storage implementations.

Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary of Changes

Hello @gaby, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on enhancing the test coverage for the CSRF middleware. It introduces new regression tests that validate critical aspects of CSRF token management, specifically ensuring that appropriate warnings are issued for potentially insecure cookie configurations and confirming the robust functionality of token deletion across various storage types.

Highlights

  • CSRF Cookie SameSite Warning Test: I've added a new test case (Test_configDefault_WarnCookieSameSite) to ensure that a warning is logged when the CSRF cookie's SameSite attribute is set to 'None' while the KeyLookup is configured to use a cookie. This configuration is generally not recommended for security, and the test verifies that the system correctly alerts developers to this potential issue.
  • CSRF Token Deletion Test: I've implemented a new test (Test_deleteTokenFromStorage) to verify the correct behavior of the deleteTokenFromStorage function. This test ensures that the function properly handles CSRF token deletion from both session-based and general storage mechanisms, covering different scenarios for token invalidation.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in issue comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gaby gaby changed the title Add tests for CSRF cookie warning and token deletion 🧹 chore: Improve CSRF tests coverage Jun 20, 2025
@gaby gaby added this to v3 Jun 20, 2025
@gaby gaby added this to the v3 milestone Jun 20, 2025
@gaby gaby moved this to In Progress in v3 Jun 20, 2025
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

The pull request adds two valuable regression tests for the CSRF middleware. Test_configDefault_WarnCookieSameSite correctly verifies the logging of warnings for specific cookie configurations. Test_deleteTokenFromStorage thoroughly checks token deletion logic for both session-based and direct storage mechanisms. The tests are well-written, clear, and effectively cover the intended scenarios. No issues of medium or higher severity were found.

Copy link

codecov bot commented Jun 20, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.47%. Comparing base (3b2af61) to head (c385b2e).
Report is 3 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3531      +/-   ##
==========================================
+ Coverage   90.40%   90.47%   +0.07%     
==========================================
  Files         110      110              
  Lines       10939    10939              
==========================================
+ Hits         9889     9897       +8     
+ Misses        791      781      -10     
- Partials      259      261       +2     
Flag Coverage Δ
unittests 90.47% <ø> (+0.07%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.50.

Benchmark suite Current: c385b2e Previous: 3b2af61 Ratio
Benchmark_Ctx_SendString_B 16.87 ns/op 0 B/op 0 allocs/op 9.364 ns/op 0 B/op 0 allocs/op 1.80
Benchmark_Ctx_SendString_B - ns/op 16.87 ns/op 9.364 ns/op 1.80

This comment was automatically generated by workflow using github-action-benchmark.

@ReneWerner87 ReneWerner87 merged commit e1a7c11 into main Jun 20, 2025
14 of 15 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in v3 Jun 20, 2025
@gaby gaby deleted the codex/2025-06-20-03-01-58 branch June 20, 2025 11:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

2 participants