ES-2739 - Updated the CSRF token changes in commons

[prathmeshj12]

1. Updated the CSRF token changes in commons.
2. Added the new method in AdminTestUtil to fetchAndStoreCsrfToken

Summary by CodeRabbit

• Chores
  • Added shared CSRF storage and public helpers to fetch, extract, and store CSRF token and cookie for test requests.
  • Standardized cookie and header usage across test clients to draw CSRF values from the centralized sources, improving consistency of automated API requests.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Centralizes CSRF handling: adds static CSRF storage in BaseTestCase, adds AdminTestUtil helpers to fetch/extract CSRF token and cookie from server responses, and updates RestClient and other callers to use the centralized CSRF values.

Changes

Cohort / File(s)	Summary
CSRF Token Storage apitest-commons/src/main/java/io/mosip/testrig/apirig/testrunner/BaseTestCase.java	Added public static fields CSRF_TOKEN and CSRF_COOKIE to hold centralized CSRF token and cookie.
CSRF Utility apitest-commons/src/main/java/io/mosip/testrig/apirig/utils/AdminTestUtil.java	Added extractAndStoreCsrfToken(Response) and fetchAndStoreCsrfToken() to extract CSRF token and cookie from responses or a dedicated endpoint and store them in BaseTestCase. Replaced property-based token reads with centralized fields.
REST Client Cookie Usage apitest-commons/src/main/java/io/mosip/testrig/apirig/utils/RestClient.java	Replaced property-sourced XSRF token usage in .cookie(...) calls with the centralized BaseTestCase CSRF cookie/reference across multiple request flows.

Sequence Diagram(s)

sequenceDiagram
    participant TestRunner
    participant AdminUtil as AdminTestUtil
    participant Server
    participant Base as BaseTestCase
    participant Rest as RestClient

    TestRunner->>AdminUtil: fetchAndStoreCsrfToken()
    AdminUtil->>Server: GET /csrf-endpoint
    Server-->>AdminUtil: 2xx response with token body and Set-Cookie
    AdminUtil->>Base: extractAndStoreCsrfToken(response)\nset CSRF_TOKEN, CSRF_COOKIE
    TestRunner->>Rest: invoke API call
    Rest->>Base: read CSRF_TOKEN & CSRF_COOKIE
    Rest->>Server: request with Cookie (CSRF_COOKIE) and header X-XSRF-TOKEN (CSRF_TOKEN)
    Server-->>Rest: response

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• mohanachandran-s

Poem

🐇
I hopped to fetch a secret key,
tucked the cookie snug for tea.
A helper leap, a tiny quest,
now requests wear their Sunday best.
Hooray — the tests can scamper free!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: updating CSRF token handling in the commons module, which aligns with the actual changes across AdminTestUtil, RestClient, and BaseTestCase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ast-grep (0.40.5)

apitest-commons/src/main/java/io/mosip/testrig/apirig/utils/AdminTestUtil.java

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

apitest-commons/src/main/java/io/mosip/testrig/apirig/utils/AdminTestUtil.java (2)

452-487: Use the CSRF cookie value for cookies, not the token.

token is used as the cookie value in both the cookie map and the cookieName branch. It should be CSRF_COOKIE; otherwise the cookie carries the header token and CSRF validation can fail.

🐛 Proposed fix

-        token = GlobalConstants.CSRF_TOKEN;
+        token = GlobalConstants.CSRF_COOKIE;

---

642-663: Use CSRF_COOKIE for the cookie value in this flow too.

This path currently passes CSRF_TOKEN as the cookie value, which mirrors the earlier bug and can break CSRF checks.

🐛 Proposed fix

-        token = GlobalConstants.CSRF_TOKEN;
+        token = GlobalConstants.CSRF_COOKIE;

🤖 Fix all issues with AI agents

In
`@apitest-commons/src/main/java/io/mosip/testrig/apirig/utils/AdminTestUtil.java`:
- Around line 7548-7561: The extractAndStoreCsrfToken and fetchAndStoreCsrfToken
currently store nulls silently; modify them so fetchAndStoreCsrfToken checks the
HTTP response status from RestClient.getRequest and if not 2xx throws an
exception or logs and fails fast, and then have extractAndStoreCsrfToken
validate that response.jsonPath().getString("token") and
response.getCookie(GlobalConstants.XSRF_TOKEN) are non‑empty before assigning
GlobalConstants.CSRF_TOKEN and GlobalConstants.CSRF_COOKIE; if either value is
missing, throw a descriptive runtime exception (or return a failure) that
includes the response status and body to aid debugging. Ensure you reference
extractAndStoreCsrfToken, fetchAndStoreCsrfToken, RestClient.getRequest,
GlobalConstants.CSRF_TOKEN and GlobalConstants.CSRF_COOKIE when locating where
to add the checks.

In
`@apitest-commons/src/main/java/io/mosip/testrig/apirig/utils/GlobalConstants.java`:
- Around line 283-287: Global mutable CSRF_TOKEN and CSRF_COOKIE in
GlobalConstants risk cross-test leakage; replace these public static mutable
fields with per-thread or per-session storage and accessor methods: convert
CSRF_TOKEN and CSRF_COOKIE into private ThreadLocal<String> variables (or move
into a session-scoped context object) and add get/set methods (e.g.,
getCsrfToken(), setCsrfToken(), getCsrfCookie(), setCsrfCookie()) so tests
explicitly set/read tokens for their own thread/session rather than sharing
globals; update usages to call the new accessors.

In `@apitest-commons/src/main/java/io/mosip/testrig/apirig/utils/RestClient.java`:
- Around line 739-742: Add a guard that fails fast when the CSRF cookie is not
initialized: create a private helper (e.g., ensureCsrfCookieInitialized()) in
RestClient that checks GlobalConstants.CSRF_COOKIE for null/blank and throws an
IllegalStateException with a clear message like "CSRF cookie not initialized.
Call AdminTestUtil.fetchAndStoreCsrfToken() first."; then call this helper at
the start of every request path that currently uses GlobalConstants.CSRF_COOKIE
(e.g., the code building postResponse with .cookie(GlobalConstants.XSRF_TOKEN,
GlobalConstants.CSRF_COOKIE) and the other call sites you flagged) so requests
never proceed without a valid CSRF cookie.