def test_reset_password(database):
"""Test resetting a user password."""
# -- Setup ----------------------------------------------------------------
#
# Create one active user.
username = '******'
password = '******'
with database.session() as session:
# After a reset request has been send the previous password should
# still be valid.
users = UserManager(session)
auth = OpenAccessAuth(session)
user_id = users.register_user(username, password).user_id
# -- Test reset password --------------------------------------------------
with database.session() as session:
users = UserManager(session)
auth = OpenAccessAuth(session)
# Ensure login works prior to reset request.
token = users.login_user(username, password).api_key.value
assert auth.authenticate(token).user_id == user_id
request_id = users.request_password_reset(username)
password = '******'
user = users.reset_password(request_id=request_id, password=password)
assert user.user_id == user_id
# After resetting the password the previous API key for the user is
# invalid
with pytest.raises(err.UnauthenticatedAccessError):
auth.authenticate(token)
token = users.login_user('*****@*****.**', 'mypwd').api_key.value
assert auth.authenticate(token).user_id == user_id
# -- Test login after request ---------------------------------------------
with database.session() as session:
# After a reset request has been send the previous password should
# still be valid.
users = UserManager(session)
auth = OpenAccessAuth(session)
users.request_password_reset(username)
token = users.login_user(username, password).api_key.value
assert auth.authenticate(token).user_id == user_id
# -- Test request reset for unknown user ----------------------------------
with database.session() as session:
users = UserManager(session)
assert users.request_password_reset('*****@*****.**') is not None
# --Error cases -----------------------------------------------------------
with database.session() as session:
# An error is raised when (i) trying to use a request for an unknown
# user, (ii) a previously completed reset request, or (iii) an unknown
# request identifier to reset a user password
users = UserManager(session)
with pytest.raises(err.UnknownRequestError):
users.reset_password(request_id=request_id, password=password)
with pytest.raises(err.UnknownRequestError):
users.reset_password(request_id='UNKNOWN', password=password)
with pytest.raises(err.UnknownRequestError):
users.reset_password(request_id='unknown', password=password)
def test_reset_request_timeout(database):
"""Test resetting a user password using a request identifier that has
timed out.
"""
# -- Setup ----------------------------------------------------------------
#
# Create database with single active user.
username = '******'
with database.session() as session:
users = UserManager(session)
users.register_user(username, 'pwd1')
# -- Test password reset after timed-out ----------------------------------
with database.session() as session:
# Request a password reset and then sleep for a period of time that is
# lonker than the token timeout period.
users = UserManager(session, token_timeout=1)
request_id = users.request_password_reset(username)
time.sleep(2)
with pytest.raises(err.UnknownRequestError):
users.reset_password(request_id=request_id, password='******')