From 7f1c63fe7f1171cfc06760a841148991e8851939 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 2 Dec 2025 14:55:07 +0000
Subject: [PATCH 1/2] Initial plan


From 4608c4baeecab5d921ea162ac654f9b6159c5447 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 2 Dec 2025 14:58:37 +0000
Subject: [PATCH 2/2] Add test coverage for csrfEnabled = false scenarios

Co-authored-by: grantcopley <1197835+grantcopley@users.noreply.github.com>
---
 test-harness/tests/specs/CBWIRESpec.cfc | 46 +++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/test-harness/tests/specs/CBWIRESpec.cfc b/test-harness/tests/specs/CBWIRESpec.cfc
index 764f373..becc5c9 100644
--- a/test-harness/tests/specs/CBWIRESpec.cfc
+++ b/test-harness/tests/specs/CBWIRESpec.cfc
@@ -707,6 +707,52 @@ component extends="coldbox.system.testing.BaseTestCase" {
                 } ).toThrow( type="CBWIREException", message="Page expired." );
             } );
 
+            it( "should process requests without CSRF verification when csrfEnabled = false", function() {
+                var settings = getInstance( "coldbox:modulesettings:cbwire" );
+                var originalSetting = settings.csrfEnabled;
+                settings.csrfEnabled = false;
+                
+                var payload = incomingRequest(
+                    memo = {
+                        "name": "TestComponent",
+                        "id": "Z1Ruz1tGMPXSfw7osBW2",
+                        "children": []
+                    },
+                    data = {
+                        "count": 1
+                    },
+                    calls = [
+                        {
+                            "path": "",
+                            "method": "changeTitle",
+                            "params": []
+                        }
+                    ],
+                    updates = {},
+                    csrfToken = "badToken"
+                );
+                
+                // Should not throw an error even with bad token when CSRF is disabled
+                var response = cbwireController.handleRequest( payload, event );
+                expect( isStruct( response ) ).toBeTrue();
+                expect( response.components[1].effects.html ).toInclude( "CBWIRE Slays!" );
+                
+                // Restore original setting
+                settings.csrfEnabled = originalSetting;
+            } );
+
+            it( "should return empty string from generateCSRFToken() when csrfEnabled = false", function() {
+                var settings = getInstance( "coldbox:modulesettings:cbwire" );
+                var originalSetting = settings.csrfEnabled;
+                settings.csrfEnabled = false;
+                
+                var token = cbwireController.generateCSRFToken();
+                expect( token ).toBe( "" );
+                
+                // Restore original setting
+                settings.csrfEnabled = originalSetting;
+            } );
+
             it( "should provide a handleRequest() method that returns subsequent payloads", function() {
                 var payload = incomingRequest(
                     memo = {