From 97ede2ceb9d1cbd263f9bce2d3971ad74c260d56 Mon Sep 17 00:00:00 2001 From: Martin Porwoll Date: Mon, 15 Dec 2025 13:36:16 +0000 Subject: [PATCH] fix(ci): add BYPASS_CSRF control for security tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - CSRF bypass in CI can be disabled with BYPASS_CSRF=false - Security integration tests set BYPASS_CSRF=false to test CSRF validation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- src/lib/security/csrf.ts | 3 ++- tests/int/security-api.int.spec.ts | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/lib/security/csrf.ts b/src/lib/security/csrf.ts index 5818b78..1694a23 100644 --- a/src/lib/security/csrf.ts +++ b/src/lib/security/csrf.ts @@ -120,7 +120,8 @@ export function validateCsrf(req: NextRequest): { } { // 0. CI/Test-Modus: CSRF-Schutz deaktivieren wenn CI=true // Dies gilt für GitHub Actions E2E-Tests, wo CSRF-Token-Handling nicht praktikabel ist - if (process.env.CI === 'true') { + // BYPASS_CSRF='false' kann gesetzt werden um CSRF in CI zu aktivieren (für Security-Tests) + if (process.env.CI === 'true' && process.env.BYPASS_CSRF !== 'false') { return { valid: true } } diff --git a/tests/int/security-api.int.spec.ts b/tests/int/security-api.int.spec.ts index f9af58b..46e47c1 100644 --- a/tests/int/security-api.int.spec.ts +++ b/tests/int/security-api.int.spec.ts @@ -8,8 +8,8 @@ import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest' import { NextRequest, NextResponse } from 'next/server' -// Clear CI environment variable to ensure CSRF validation works normally during tests -vi.stubEnv('CI', '') +// Enable CSRF validation in CI by setting BYPASS_CSRF=false +vi.stubEnv('BYPASS_CSRF', 'false') import { generateTestCsrfToken, generateExpiredCsrfToken,