max / makenotwork

test: fix fan_plus_checkout_requires_login for CSRF origin gate The posture-independent CSRF origin gate (c33c72d) rejects a cold POST with 403 before the auth check runs, so the test's cold POST to /stripe/fan-plus no longer reached the 401 login check. Establish a CSRF token first so the request clears the gate and the test exercises the intended "requires login" path. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: Max Johnson <me@maxj.phd> · 2026-06-15 21:51 UTC

Commit: 2c4c8a9543b3516d120c35ee24d2bcb85016c524

Parent: 9e71f3a

1 file changed, +5 insertions, -0 deletions

M server/tests/workflows/fan_plus.rs +5

			@@ -319,6 +319,11 @@ async fn platform_promo_code_makes_item_free() {
319	319		async fn fan_plus_checkout_requires_login() {
320	320		let mut h = TestHarness::new().await;
321	321
	322	+	// Establish a CSRF token first so the POST clears the CSRF gate and reaches
	323	+	// the auth check — otherwise the posture-independent CSRF origin gate
	324	+	// rejects the cold POST with 403 before login is ever evaluated.
	325	+	h.client.fetch_csrf_token().await;
	326	+
322	327		let resp = h.client.post_form("/stripe/fan-plus", "").await;
323	328		// Should return 401 (not logged in)
324	329		assert_eq!(resp.status, 401, "Fan+ checkout should require login");