Add test coverage for csrf.py

[bandhan-majumder]

Resolves #1563

This a child pr which covers the coverage of csrf.py which is a part of the parent backend coverage issue.

[coderabbitai]

Summary by CodeRabbit

• Tests
  • Added comprehensive unit tests for the CSRF token endpoint, ensuring correct response structure, token generation, and handling of various session scenarios.
    """

Summary by CodeRabbit

• Tests
  • Added comprehensive unit tests for the CSRF token endpoint to verify correct response structure, token generation, and handling of session scenarios.

Walkthrough

A new test module csrf_test.py has been added, containing a suite of pytest-based tests for the get_csrf_token view in the Django backend. The tests use Django's RequestFactory to simulate requests and validate the CSRF token endpoint's response structure, content, and behavior under various session scenarios.

Changes

Files	Change Summary
backend/tests/apps/core/api/csrf_test.py	Added new pytest-based test class TestGetCSRFTokenView with multiple tests for get_csrf_token view.

Assessment against linked issues

Objective	Addressed	Explanation
Add/expand unit tests for apps/core/api/csrf.py to achieve 100% backend test coverage (#1563)	✅

Assessment against linked issues: Out-of-scope changes

No out-of-scope changes were found.
"""

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (6)

backend/tests/apps/core/api/csrf_test.py (6)

1-6: Remove unused import and consider import organization.

The get_token import from django.middleware.csrf is unused according to static analysis and should be removed to keep the imports clean.

-from django.middleware.csrf import get_token

🧰 Tools

🪛 Ruff (0.11.9)

4-4: django.middleware.csrf.get_token imported but unused

Remove unused import: django.middleware.csrf.get_token

(F401)

---

11-14: Simplify fixture implementation.

Since there's no teardown logic needed, you can use return instead of yield for better clarity.

 @pytest.fixture(autouse=True)
 def setup_client(self):
     self.factory = RequestFactory()
-    yield
+    return

🧰 Tools

🪛 Ruff (0.11.9)

14-14: No teardown in fixture setup_client, use return instead of yield

Replace yield with return

(PT022)

---

16-25: Good helper method with minor refactoring opportunity.

The helper method logic is sound, but the conditional can be simplified for better readability.

 def _make_request_with_session(self, path="/", method="get"):
-    if method.lower() == "post":
-        request = self.factory.post(path)
-    else:
-        request = self.factory.get(path)
+    request = self.factory.post(path) if method.lower() == "post" else self.factory.get(path)
     
     request.session = SessionStore()
     request.session.create()
     
     return request

🧰 Tools

🪛 Ruff (0.11.9)

17-20: Use ternary operator request = self.factory.post(path) if method.lower() == "post" else self.factory.get(path) instead of if-else-block

Replace if-else-block with request = self.factory.post(path) if method.lower() == "post" else self.factory.get(path)

(SIM108)

---

21-21: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

24-24: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

27-34: Consider using constants for magic values.

The helper method is well-structured, but consider using constants for HTTP status codes to improve maintainability.

+from http import HTTPStatus
+
 def _assert_valid_csrf_response(self, response):
-    assert response.status_code == 200
+    assert response.status_code == HTTPStatus.OK
     assert response["Content-Type"] == "application/json"
     
     data = json.loads(response.content)
     assert "csrftoken" in data
     assert isinstance(data["csrftoken"], str)
     assert len(data["csrftoken"]) > 0

🧰 Tools

🪛 Ruff (0.11.9)

28-28: Magic value used in comparison, consider replacing 200 with a constant variable

(PLR2004)

---

30-30: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

67-76: Consider using a constant for token length validation.

The test logic is sound, but the magic number for token length could be extracted to a constant.

+MIN_CSRF_TOKEN_LENGTH = 10
+
 def test_get_csrf_token_response_structure(self):
     request = self._make_request_with_session()
     response = get_csrf_token(request)
     
     assert response["Content-Type"] == "application/json"
     
     data = json.loads(response.content)
     assert isinstance(data, dict)
     assert "csrftoken" in data
-    assert len(data["csrftoken"]) > 10  # CSRF tokens length is typically more than 10 characters
+    assert len(data["csrftoken"]) > MIN_CSRF_TOKEN_LENGTH  # CSRF tokens length is typically more than 10 characters

🧰 Tools

🪛 Ruff (0.11.9)

70-70: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

72-72: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

76-76: Magic value used in comparison, consider replacing 10 with a constant variable

(PLR2004)

---

76-76: Line too long (101 > 99)

(E501)

---

1-96: Consider adding more test scenarios.

The current test suite is comprehensive, but consider adding these additional scenarios to further improve coverage:

1. Test with POST requests using the existing helper method
2. Test behavior when the view is called multiple times with the same session
3. Test error handling scenarios if applicable

def test_get_csrf_token_post_request(self):
    """Test CSRF token endpoint with POST request."""
    request = self._make_request_with_session(method="post")
    response = get_csrf_token(request)
    self._assert_valid_csrf_response(response)

def test_get_csrf_token_same_session_consistency(self):
    """Test that the same session returns the same token."""
    request = self._make_request_with_session()
    response1 = get_csrf_token(request)
    response2 = get_csrf_token(request)
    
    data1 = json.loads(response1.content)
    data2 = json.loads(response2.content)
    
    # Same session should return the same token
    assert data1["csrftoken"] == data2["csrftoken"]

🧰 Tools

🪛 Ruff (0.11.9)

4-4: django.middleware.csrf.get_token imported but unused

Remove unused import: django.middleware.csrf.get_token

(F401)

---

14-14: No teardown in fixture setup_client, use return instead of yield

Replace yield with return

(PT022)

---

15-15: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

17-20: Use ternary operator request = self.factory.post(path) if method.lower() == "post" else self.factory.get(path) instead of if-else-block

Replace if-else-block with request = self.factory.post(path) if method.lower() == "post" else self.factory.get(path)

(SIM108)

---

21-21: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

24-24: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

26-26: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

28-28: Magic value used in comparison, consider replacing 200 with a constant variable

(PLR2004)

---

30-30: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

35-35: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

39-39: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

41-41: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

45-45: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

50-50: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

54-54: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

57-57: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

60-60: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

63-63: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

66-66: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

70-70: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

72-72: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

76-76: Magic value used in comparison, consider replacing 10 with a constant variable

(PLR2004)

---

76-76: Line too long (101 > 99)

(E501)

---

77-77: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

80-80: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

83-83: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

87-87: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

88-88: Single quotes found but double quotes preferred

Replace single quotes with double quotes

(Q000)

---

90-90: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

93-93: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

96-96: No newline at end of file

Add trailing newline

(W292)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 085ee62 and 73dbfeb.

📒 Files selected for processing (1)

• backend/tests/apps/core/api/csrf_test.py (1 hunks)

🧰 Additional context used

🪛 Ruff (0.11.9)

backend/tests/apps/core/api/csrf_test.py

4-4: django.middleware.csrf.get_token imported but unused

Remove unused import: django.middleware.csrf.get_token

(F401)

---

14-14: No teardown in fixture setup_client, use return instead of yield

Replace yield with return

(PT022)

---

15-15: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

17-20: Use ternary operator request = self.factory.post(path) if method.lower() == "post" else self.factory.get(path) instead of if-else-block

Replace if-else-block with request = self.factory.post(path) if method.lower() == "post" else self.factory.get(path)

(SIM108)

---

21-21: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

24-24: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

26-26: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

28-28: Magic value used in comparison, consider replacing 200 with a constant variable

(PLR2004)

---

30-30: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

35-35: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

39-39: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

41-41: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

45-45: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

50-50: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

54-54: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

57-57: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

60-60: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

63-63: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

66-66: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

70-70: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

72-72: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

76-76: Magic value used in comparison, consider replacing 10 with a constant variable

(PLR2004)

---

76-76: Line too long (101 > 99)

(E501)

---

77-77: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

80-80: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

83-83: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

87-87: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

88-88: Single quotes found but double quotes preferred

Replace single quotes with double quotes

(Q000)

---

90-90: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

93-93: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

96-96: No newline at end of file

Add trailing newline

(W292)

🔇 Additional comments (5)

backend/tests/apps/core/api/csrf_test.py (5)

36-40: Basic functionality test looks good.

This test correctly validates the core functionality of the CSRF token endpoint.

🧰 Tools

🪛 Ruff (0.11.9)

39-39: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

42-49: JSON structure validation is comprehensive.

Good test for ensuring the response contains only the expected key and proper JSON structure.

🧰 Tools

🪛 Ruff (0.11.9)

45-45: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

51-65: Excellent test for token uniqueness.

This test properly validates that different sessions generate different CSRF tokens, which is crucial for security.

🧰 Tools

🪛 Ruff (0.11.9)

54-54: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

57-57: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

60-60: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

63-63: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

78-82: Important edge case coverage.

Testing the behavior without a session is crucial for ensuring the endpoint handles edge cases properly.

🧰 Tools

🪛 Ruff (0.11.9)

80-80: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

84-96: Thorough response format validation.

This test provides comprehensive validation of the JSON response structure and content.

🧰 Tools

🪛 Ruff (0.11.9)

87-87: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

88-88: Single quotes found but double quotes preferred

Replace single quotes with double quotes

(Q000)

---

90-90: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

93-93: Blank line contains whitespace

Remove whitespace from blank line

(W293)

---

96-96: No newline at end of file

Add trailing newline

(W292)

[arkid15r]

LGTM

Please start running make check locally

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

backend/tests/apps/core/api/csrf_test.py (2)

16-22: Simplify the helper method parameters.

The method parameter suggests handling different HTTP methods, but all tests only use GET requests. Consider simplifying this method since the method branching isn't effectively utilized.

-    def _make_request_with_session(self, path="/", method="get"):
-        request = self.factory.post(path) if method.lower() == "post" else self.factory.get(path)
+    def _make_request_with_session(self, path="/"):
+        request = self.factory.get(path)

---

39-47: Consider consolidating duplicate test logic.

Multiple test methods (test_get_csrf_token_returns_json, test_get_csrf_token_response_structure, and test_get_csrf_token_json_response_format) perform very similar validations. Consider consolidating these into fewer, more focused tests to reduce duplication while maintaining coverage.

For example, merge the JSON response format validation into the main success test:

    def test_get_csrf_token_success(self):
        request = self._make_request_with_session()
        response = get_csrf_token(request)

        self._assert_valid_csrf_response(response)
+        
+        # Validate JSON structure
+        data = json.loads(response.content)
+        assert list(data.keys()) == ["csrftoken"]
+        assert len(data) == 1  # Should only contain csrftoken key

Also applies to: 64-74, 81-93

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 73dbfeb and c59d0c7.

📒 Files selected for processing (1)

• backend/tests/apps/core/api/csrf_test.py (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

backend/tests/apps/core/api/csrf_test.py (1)

backend/apps/core/api/csrf.py (1)

• get_csrf_token (11-13)

🪛 Pylint (3.3.7)

backend/tests/apps/core/api/csrf_test.py

[error] 25-25: Instance of 'LookupDict' has no 'ok' member

(E1101)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: CodeQL (python)
• GitHub Check: CodeQL (javascript-typescript)

🔇 Additional comments (1)

backend/tests/apps/core/api/csrf_test.py (1)

11-93: Excellent test coverage for CSRF token functionality.

The test suite provides comprehensive coverage of the get_csrf_token view with good separation of concerns:

• ✅ Basic functionality validation
• ✅ Response format verification
• ✅ Token uniqueness across sessions
• ✅ Handling requests without sessions
• ✅ Proper use of Django testing utilities

The tests effectively validate all aspects of the CSRF token endpoint's behavior and will help ensure reliability of this security-critical functionality.

🧰 Tools

🪛 Pylint (3.3.7)

[error] 25-25: Instance of 'LookupDict' has no 'ok' member

(E1101)