GH-22: Add tests for csrf workflow

Author: ArtyomVancyan

tests/test_oauth2.py

@@ -1,4 +1,6 @@
+from urllib.parse import parse_qs
 from urllib.parse import urlencode
+from urllib.parse import urlparse
 
 import pytest
 from httpx import AsyncClient
@@ -14,7 +16,11 @@ async def oauth2_workflow(get_app, idp=False, ssr=True, authorize_query="", toke
         response = await client.get("/oauth2/test/authorize" + authorize_query)  # Get authorization endpoint
         authorization_endpoint = response.headers.get("location") if ssr else response.json().get("url")
         response = await client.get(authorization_endpoint)  # Authorize
-        response = await client.get(response.headers.get("location") + token_query)  # Obtain token
+        token_url = response.headers.get("location")
+        query = {k: v[0] for k, v in parse_qs(urlparse(token_url).query).items()}
+        query.update({k: v[0] for k, v in parse_qs(token_query).items()})
+        token_url = "%s?%s" % (token_url.split("?")[0], urlencode(query))
+        response = await client.get(token_url)  # Obtain token
 
         response = await client.get("/user", headers=dict(
             Authorization=jwt_encode(response.json(), "")  # Set token
@@ -43,3 +49,16 @@ async def test_oauth2_pkce_workflow(get_app):
         tq = "&" + urlencode(dict(code_verifier=code_verifier))
         await oauth2_workflow(get_app, idp=True, authorize_query=aq, token_query=tq)
         await oauth2_workflow(get_app, idp=True, ssr=False, authorize_query=aq, token_query=tq, use_header=True)
+
+
+@pytest.mark.anyio
+async def test_oauth2_csrf_workflow(get_app):
+    for aq, tq in [
+        ("?state=test_state", "&state=test_state"),
+        ("?state=test_state", "&state=test_wrong_state")
+    ]:
+        try:
+            await oauth2_workflow(get_app, idp=True, authorize_query=aq, token_query=tq)
+            await oauth2_workflow(get_app, idp=True, ssr=False, authorize_query=aq, token_query=tq, use_header=True)
+        except AssertionError:
+            assert aq != tq