Invalid anti-forgery error during lein test

Cross Site Request Forgery, is an attack where an evildooer put's a link on their site that tricks the browser of someone on that site into making a request to your site.

If that someone happens to be logged into your site at the time, then that request will cause things to happen as if they had asked for it (because their browser asked for it to happen). This can be a very serious problem and it affects both GET and POST requests.

The general solution is to make it so no serious actions can happen on the first connection to your site, but rather the first connection sets a token header, that the server expects to see on the next request. This allows the server to verify the chain of requests, and thus prevents CSRF (or XSRF).

It sounds like, if you want your test to make requests to this service, you need your request to first acquire a proper CSRF token, and then make the request it want's to test.

As it stands, your test is testing that this call is not vulnerable to CSRF, so it's a perfectly useful test, you should keep it, and write another that get's a proper token before making the request.

We can disable csrf in tests using (assoc site-defaults :security false). The complete code is something like this:

; Create a copy of testing app in utilities.testing
; by wrapping handler with testing middlewares

(ns utilities.testing
    (:require [your-web-app.handler :refer [path-handler]]
              [ring.middleware.defaults :refer [wrap-defaults site-defaults]]))

; Disabling CSRF for testing
(def app
    (-> path-handler
        (wrap-defaults (assoc site-defaults :security false))))

Now you can use this app in tests

(ns users.views-test
    (:require [utilities.testing :refer [app]]
              ;...
              ))

;...
  (testing "adding a record"
    (let [response (app (mock/request :post "/api/df"
                                      "{\"id\":123}"))]
      (prn response)
      (is (= (:status response) 200))))