feat: Implement CSRF protection and basic form validation, streamline form data, and add comprehensive unit and E2E tests.

2026-03-25 09:10:34 +01:00 · 2026-03-25 09:10:34 +01:00 · 197ae8d75b
commit 197ae8d75b
parent 4c435f8e17
4 changed files with 120 additions and 19 deletions
--- a/tests/test_app.py
+++ b/tests/test_app.py
@ -0,0 +1,45 @@
+import pytest
+from app import app
+from unittest.mock import patch
+
+@pytest.fixture
+def client():
+    app.config['TESTING'] = True
+    with app.test_client() as client:
+        with client.session_transaction() as sess:
+            sess['_csrf_token'] = 'test-token'
+        yield client
+
+def test_home_page(client):
+    response = client.get('/')
+    assert response.status_code == 200
+    assert b"Zomeravond" in response.data or b"Papklokken" in response.data
+
+@patch('app.get_google_sheet')
+def test_post_missing_fields(mock_get_sheet, client):
+    response = client.post('/zomeravond', data={'_csrf_token': 'test-token'})
+    assert b"Oeps! Bepaalde verplichte velden ontbreken" in response.data
+    mock_get_sheet.return_value.append_row.assert_not_called()
+
+@patch('app.get_google_sheet')
+@patch('app.get_public_participants')
+def test_post_success(mock_participants, mock_get_sheet, client):
+    mock_participants.return_value = []
+    
+    data = {
+        '_csrf_token': 'test-token',
+        'klasse': 'Kajuitklasse',
+        'zeilnummer': '123',
+        'bootnaam': 'TestBoat',
+        'naam': 'Test Name',
+        'telefoonmobiel': '0612345678',
+        'email': 'test@example.com'
+    }
+    
+    response = client.post('/zomeravond', data=data)
+    assert response.status_code == 302
+    assert '/zomeravond/success' in response.headers.get('Location', '')
+    
+    # In full testing, append_row is called unless TESTING_NO_APPEND is set.
+    # But since it's mocked, we can check it.
+    assert mock_get_sheet.return_value.append_row.called
--- a/tests/test_e2e.py
+++ b/tests/test_e2e.py
@ -0,0 +1,29 @@
+import os
+import re
+import pytest
+from playwright.sync_api import Page, expect
+
+def test_homepage_has_title(page: Page):
+    page.goto("http://localhost:5000/")
+    expect(page).to_have_title(re.compile("Zeilwedstrijden"))
+
+def test_submission_flow(page: Page):
+    page.goto("http://localhost:5000/zomeravond")
+    
+    # Fill required fields
+    page.select_option("select[name='klasse']", label="Kajuitklasse")
+    page.fill("input[name='zeilnummer']", "42")
+    page.fill("input[name='bootnaam']", "Vliegende Hollander")
+    page.fill("input[name='naam']", "Hendrik Test")
+    page.fill("input[name='telefoonmobiel']", "0612345678")
+    page.fill("input[name='email']", "hendrik@example.com")
+    
+    # Accept terms
+    page.check("input#terms")
+    
+    # Submit
+    page.click("button[type='submit']")
+    
+    # Expect success redirect
+    expect(page).to_have_url(re.compile(r".*/zomeravond/success"))
+    expect(page.locator("h1")).to_have_text("Bedankt!")