fix: remove illegal reference and update test

2026-05-04 17:37:59 +02:00 · 2026-05-04 17:37:59 +02:00 · 2e727aec9c
commit 2e727aec9c
parent e86415c7e6
3 changed files with 32 additions and 9 deletions
--- a/test/mv_web/controllers/auth_controller_test.exs
+++ b/test/mv_web/controllers/auth_controller_test.exs
@ -40,12 +40,40 @@ defmodule MvWeb.AuthControllerTest do
    assert html =~ "mila.svg" or html =~ "Mila Logo"
  end

-  test "GET /sign-out redirects to home", %{conn: authenticated_conn} do
+  test "GET /sign-out shows confirmation; submitting sign-out redirects to home", %{
+    conn: authenticated_conn
+  } do
    conn = conn_with_oidc_user(authenticated_conn)
+
    conn = get(conn, ~p"/sign-out")
+    html = html_response(conn, 200)
+    # AshAuthentication.Phoenix: GET renders SignOutLive (logout CSRF protection), not an immediate redirect.
+    assert html =~ "Sign out"
+
+    csrf_token = csrf_token_from_sign_out_form(html)
+
+    conn =
+      post(conn, ~p"/sign-out", %{
+        "_method" => "delete",
+        "_csrf_token" => csrf_token
+      })
+
    assert redirected_to(conn) == ~p"/"
  end

+  defp csrf_token_from_sign_out_form(html) when is_binary(html) do
+    case Regex.run(~r/name="_csrf_token"[^>]*value="([^"]+)"/, html) do
+      [_, token] ->
+        token
+
+      _ ->
+        case Regex.run(~r/value="([^"]+)"[^>]*name="_csrf_token"/, html) do
+          [_, token] -> token
+          _ -> flunk("expected sign-out page HTML to include a _csrf_token hidden field")
+        end
+    end
+  end
+
  # Password authentication (LiveView)
  test "password user can sign in with valid credentials via LiveView", %{
    conn: authenticated_conn