cors fixes

openapi_first/templates/model_app/main.py

@@ -26,6 +26,7 @@ Example:
 """
 
 from openapi_first.app import OpenAPIFirstApp
+from starlette_csrf import CSRFMiddleware
 import routes
 
 app = OpenAPIFirstApp(
@@ -33,3 +34,13 @@ app = OpenAPIFirstApp(
     routes_module=routes,
     title="Model CRUD Example Service",
 )
+
+app.add_middleware(
+    CSRFMiddleware,
+    secret="change-me-in-production",
+    cookie_name="csrftoken",
+    header_name="x-csrftoken",
+    cookie_secure=False,
+    cookie_httponly=False,
+    cookie_samesite="lax",
+)

openapi_first/templates/model_app/test_model_app.py

@@ -33,6 +33,14 @@ client = OpenAPIClient(
     client=client,
 )
 
+# Bootstrap CSRF token via a safe GET request
+_ = client.list_items()
+_CSRF_TOKEN = client.client.cookies.get("csrftoken")
+
+
+def _csrf_headers() -> dict:
+    return {"X-CSRFToken": _CSRF_TOKEN} if _CSRF_TOKEN else {}
+
 
 def test_list_items_initial():
     """Initial items should be present."""
@@ -69,7 +77,8 @@ def test_create_item():
     }
 
     response = client.create_item(
-        body=payload
+        body=payload,
+        headers=_csrf_headers(),
     )
     assert response.status_code == 201
 
@@ -94,6 +103,7 @@ def test_update_item():
     response = client.update_item(
         path_params={"item_id": 1},
         body=payload,
+        headers=_csrf_headers(),
     )
     assert response.status_code == 200
 
@@ -114,7 +124,8 @@ def test_update_item():
 def test_delete_item():
     """Deleting an item should remove it from the store."""
     response = client.delete_item(
-        path_params={"item_id": 2}
+        path_params={"item_id": 2},
+        headers=_csrf_headers(),
     )
     assert response.status_code == 204