galaxy-game/backend/internal/adminconsole/csrf_test.go

package adminconsole

import "testing"

func TestCSRFTokenRoundTrip(t *testing.T) {
	signer := NewCSRF([]byte("shared-secret"))
	token := signer.Token("alice")

	if !signer.Verify("alice", token) {
		t.Fatal("valid token rejected")
	}
	if signer.Verify("bob", token) {
		t.Fatal("token accepted for a different operator")
	}
	if signer.Verify("alice", "") {
		t.Fatal("empty token accepted")
	}
	if signer.Verify("alice", token+"x") {
		t.Fatal("tampered token accepted")
	}
}

func TestCSRFKeySeparation(t *testing.T) {
	a := NewCSRF([]byte("key-a"))
	b := NewCSRF([]byte("key-b"))
	if a.Token("operator") == b.Token("operator") {
		t.Fatal("tokens collide across distinct keys")
	}
	if b.Verify("operator", a.Token("operator")) {
		t.Fatal("token minted under one key verified under another")
	}
}

func TestRandomCSRFRoundTrip(t *testing.T) {
	signer, err := NewRandomCSRF()
	if err != nil {
		t.Fatalf("NewRandomCSRF: %v", err)
	}
	if !signer.Verify("operator", signer.Token("operator")) {
		t.Fatal("random-key token failed to round-trip")
	}
}