class TemporaryTokenDestroyTests(APITestCase):
def setUp(self):
self.client = APIClient()
self.user = UserFactory()
self.user.set_password('Test123!')
self.user.save()
def test_logout(self):
"""
Ensure we can logout of the platform.
This deletes the TemporaryToken assigned to the user.
"""
data = {'email': self.user.email, 'password': '******'}
response = self.client.post(reverse('token_api'), data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
token = TemporaryToken.objects.get(user__email=self.user.email, )
self.client.credentials(HTTP_AUTHORIZATION='Token ' + token.key)
response = self.client.delete(
reverse(
'authentication-detail',
kwargs={'pk': token.key},
), )
self.assertFalse(TemporaryToken.objects.filter(key=token.key))
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
class ChangePasswordTests(APITestCase):
def setUp(self):
self.client = APIClient()
self.user = UserFactory()
self.user.set_password('Test123!')
self.user.is_active = False
self.user.save()
self.token = ActionToken.objects.create(
user=self.user,
type='password_change',
)
def test_change_password(self):
"""
Ensure we can change a password with a valid token and a good password
"""
new_password = '******'
data = {
'token': self.token.key,
'new_password': new_password
}
response = self.client.post(
reverse('change_password'),
data,
format='json',
)
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
expired=False,
)
return_user_id = json.loads(response.content)['id']
self.assertEqual(return_user_id, self.user.id)
self.assertEqual(response.status_code, status.HTTP_200_OK)
# We sync user after this change
user = User.objects.get(id=self.user.id)
self.assertTrue(user.check_password(new_password))
self.assertTrue(len(tokens) == 0)
def test_change_password_with_bad_token(self):
"""
Ensure we can't change a password with an invalid token
"""
data = {
'token': 'test',
'new_password': '******'
}
response = self.client.post(
reverse('change_password'),
data,
format='json',
)
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
)
content = {
'token': "test is not a valid token.",
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertTrue(len(tokens) == 1)
self.assertFalse(self.user.check_password('dWqq!Kld3#9dw'))
def test_change_password_without_token(self):
"""
Ensure we can't change a password without token
"""
data = {
'new_password': '******'
}
response = self.client.post(
reverse('change_password'),
data,
format='json',
)
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
)
content = {
'token': ["This field is required."],
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertTrue(len(tokens) == 1)
self.assertFalse(self.user.check_password('dWqq!Kld3#9dw'))
def test_change_password_with_an_empty_token(self):
"""
Ensure we can't change a password with an empty token
"""
data = {
'token': '',
'new_password': '******'
}
response = self.client.post(
reverse('change_password'),
data,
format='json',
)
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
)
content = {
'token': ["This field may not be blank."],
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertTrue(len(tokens) == 1)
self.assertFalse(self.user.check_password('dWqq!Kld3#9dw'))
def test_change_password_without_new_password(self):
"""
Ensure we can't change a password without a new password
"""
data = {
'token': self.token.key,
}
response = self.client.post(
reverse('change_password'),
data,
format='json',
)
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
)
content = {
'new_password': ["This field is required."],
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertTrue(len(tokens) == 1)
self.assertFalse(self.user.check_password('dWqq!Kld3#9dw'))
def test_change_password_with_an_empty_new_password(self):
"""
Ensure we can't change a password without a valid new password
"""
data = {
'token': self.token.key,
'new_password': '',
}
response = self.client.post(
reverse('change_password'),
data,
format='json',
)
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
)
content = {
'new_password': ["This field may not be blank."],
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertTrue(len(tokens) == 1)
self.assertFalse(self.user.check_password('dWqq!Kld3#9dw'))
def test_change_password_with_a_weak_new_password(self):
"""
Ensure we can't change a password with a weak new password
"""
data = {
'token': self.token.key,
'new_password': '******'
}
response = self.client.post(
reverse('change_password'),
data,
format='json',
)
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
)
content = {
'new_password': [
'This password is too short. '
'It must contain at least 8 characters.',
],
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertTrue(len(tokens) == 1)
self.assertFalse(self.user.check_password('akrent'))
class UsersIdTests(SerializerTestCase):
@classmethod
def setUpClass(cls):
super(UsersIdTests, cls).setUpClass()
cls.user_attrs = [
'id',
'url',
'email',
'first_name',
'last_name',
'is_active',
'phone',
'other_phone',
'is_superuser',
'is_staff',
'last_login',
'date_joined',
'groups',
'user_permissions',
]
def setUp(self):
self.client = APIClient()
self.user = UserFactory()
self.user.set_password('Test123!')
self.user.save()
self.admin = AdminFactory()
self.admin.set_password('Test123!')
self.admin.save()
def test_retrieve_user_id_not_exist(self):
"""
Ensure we can't retrieve a user that doesn't exist.
"""
self.client.force_authenticate(user=self.admin)
response = self.client.get(reverse(
'user-detail',
kwargs={'pk': 999},
))
content = {"detail": "Not found."}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
def test_retrieve_user_id_not_exist_without_permission(self):
"""
Ensure we can't know a user doesn't exist without permission
"""
self.client.force_authenticate(user=self.user)
response = self.client.get(reverse(
'user-detail',
kwargs={'pk': 999},
))
content = {
'detail': 'You do not have permission to perform this action.'
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_retrieve_user(self):
"""
Ensure we can retrieve a user.
"""
self.client.force_authenticate(user=self.user)
response = self.client.get(
reverse(
'user-detail',
kwargs={'pk': self.user.id},
))
content = json.loads(response.content)
# Check id of the user
self.assertEqual(content['id'], 1)
self.validate_attrs(content)
# Check the status code
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_retrieve_user_profile(self):
"""
Ensure we can retrieve our details through /profile.
"""
self.client.force_authenticate(user=self.user)
response = self.client.get(reverse('profile', ))
content = json.loads(response.content)
# Check id of the user
self.assertEqual(content['id'], 1)
self.validate_attrs(content)
# Check the status code
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_partial_update_user_with_permission(self):
"""
Ensure we can update a specific user if caller has permission.
"""
data = {
"phone": "1234567890",
}
self.client.force_authenticate(user=self.admin)
response = self.client.patch(
reverse(
'user-detail',
kwargs={'pk': self.user.id},
),
data,
format='json',
)
content = json.loads(response.content)
# Check if update was successful
self.assertEqual(content['phone'], data['phone'])
# Check id of the user
self.assertEqual(content['id'], 1)
self.validate_attrs(content)
# Check the status code
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_partial_update_user_with_permission_change_password(self):
"""
Ensure we can change password if current password is provided and the
new password is validated.
"""
data = {"password": "******", "new_password": "******"}
self.client.force_authenticate(user=self.user)
response = self.client.patch(
reverse(
'user-detail',
kwargs={'pk': self.user.id},
),
data,
format='json',
)
content = json.loads(response.content)
# Check id of the user
self.assertEqual(content['id'], 1)
self.validate_attrs(content)
self.user.refresh_from_db()
# Ensure that the password has been changed successfully
self.assertTrue(self.user.check_password("!321tseT"))
# Check the status code
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_update_user_with_permission(self):
"""
Ensure we can update a specific user if caller has permission.
Put requires a full update, including password.
"""
data = {
'password': '******',
'new_password': '******',
'phone': '1234567890',
'first_name': 'Chuck',
'last_name': 'Norris',
}
self.client.force_authenticate(user=self.user)
response = self.client.put(
reverse(
'user-detail',
kwargs={'pk': self.user.id},
),
data,
format='json',
)
content = json.loads(response.content)
self.user.refresh_from_db()
# Check if update was successful
self.assertEqual(content['phone'], data['phone'])
self.assertTrue(self.user.check_password("!321tset"))
# Check id of the user
self.assertEqual(content['id'], 1)
self.validate_attrs(content)
# Check the status code
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_update_user_without_permission(self):
"""
Ensure we can't update a specific user doesn't have permission.
"""
data = {
"phone": "1234567890",
}
self.client.force_authenticate(user=self.user)
response = self.client.patch(
reverse(
'user-detail',
kwargs={'pk': self.admin.id},
),
data,
format='json',
)
content = {
'detail': 'You do not have permission to perform this action.'
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_update_non_existent_user(self):
"""
Ensure we get permission denied when trying to update an invalid user.
"""
data = {
"phone": "1234567890",
}
self.client.force_authenticate(user=self.user)
response = self.client.patch(
reverse(
'user-detail',
kwargs={'pk': 9999},
),
data,
format='json',
)
content = {
'detail': 'You do not have permission to perform this action.'
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_update_non_existent_user_as_admin(self):
"""
Ensure we get not found when trying to update an invalid user as
an admin.
"""
data = {
"phone": "1234567890",
}
self.client.force_authenticate(user=self.admin)
response = self.client.patch(
reverse(
'user-detail',
kwargs={'pk': 9999},
),
data,
format='json',
)
content = {'detail': 'Not found.'}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
def test_update_user_weak_new_password(self):
"""
Ensure we can't update our password if it is not validated.
"""
data = {
"phone": "1234567890",
"password": "******",
"new_password": "******",
}
self.client.force_authenticate(user=self.user)
response = self.client.patch(
reverse(
'user-detail',
kwargs={'pk': self.user.id},
),
data,
format='json',
)
content = {
'new_password': [
'This password is too common.',
'This password is entirely numeric.'
]
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
def test_update_user_missing_old_password(self):
"""
Ensure we can't update our password if the current one is not provided.
"""
data = {
"phone": "1234567890",
"new_password": "******",
}
self.client.force_authenticate(user=self.user)
response = self.client.patch(
reverse(
'user-detail',
kwargs={'pk': self.user.id},
),
data,
format='json',
)
content = {'password': '******'}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
def test_update_user_wrong_old_password(self):
"""
Ensure we can't update our password if the current one is wrong.
"""
data = {
"phone": "1234567890",
"password": "******",
"new_password": "******",
}
self.client.force_authenticate(user=self.user)
response = self.client.patch(
reverse(
'user-detail',
kwargs={'pk': self.user.id},
),
data,
format='json',
)
content = {'password': '******'}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
def test_delete_user_as_admin(self):
"""
Ensure we can deactivate a user as an admin.
"""
self.client.force_authenticate(user=self.admin)
response = self.client.delete(
reverse(
'user-detail',
kwargs={'pk': self.user.id},
), )
self.user.refresh_from_db()
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
self.assertFalse(self.user.is_active)
self.user.is_active = True
self.user.refresh_from_db()
def test_delete_user(self):
"""
Ensure that a user can't deactivate its own account.
"""
self.client.force_authenticate(user=self.user)
response = self.client.delete(
reverse(
'user-detail',
kwargs={'pk': self.user.id},
), )
self.user.refresh_from_db()
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
self.assertFalse(self.user.is_active)
self.user.is_active = True
self.user.refresh_from_db()
def test_delete_inexistent_user(self):
"""
Ensure that deleting a non-existent user does nothing.
"""
self.client.force_authenticate(user=self.user)
response = self.client.delete(
reverse(
'user-detail',
kwargs={'pk': 999},
), )
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
class ObtainTemporaryAuthTokenTests(APITestCase):
def setUp(self):
self.client = APIClient()
self.user = UserFactory()
self.user.set_password('Test123!')
self.user.save()
self.url = reverse('token_api')
def test_authenticate_email(self):
"""
Ensure we can authenticate on the platform.
"""
data = {'email': self.user.email, 'password': '******'}
response = self.client.post(self.url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
token = TemporaryToken.objects.get(user__email=self.user.email, )
self.assertContains(response, token)
def test_authenticate(self):
"""
Ensure we can authenticate on the platform using a email.
"""
data = {'email': self.user.email, 'password': '******'}
response = self.client.post(self.url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
token = TemporaryToken.objects.get(user__email=self.user.email, )
self.assertContains(response, token)
def test_authenticate_expired_token(self):
"""
Ensure we can authenticate on the platform when token is expired.
"""
data = {'email': self.user.email, 'password': '******'}
response = self.client.post(self.url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
token_old = TemporaryToken.objects.get(user__email=self.user.email, )
token_old.expire()
response = self.client.post(self.url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
token_new = TemporaryToken.objects.get(user__email=self.user.email, )
self.assertNotContains(response, token_old)
self.assertContains(response, token_new)
def test_authenticate_bad_password(self):
"""
Ensure we can't authenticate with a wrong password'
"""
data = {
'email': self.user.email,
'password': '******' # No caps on the first letter
}
response = self.client.post(self.url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
tokens = TemporaryToken.objects.filter(
user__email=self.user.email).count()
self.assertEqual(0, tokens)
def test_authenticate_bad_email(self):
"""
Ensure we can't authenticate with a wrong email
"""
data = {
'email': 'Jon@john', # Forget the `h` in `John`
'password': '******'
}
response = self.client.post(self.url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
tokens = TemporaryToken.objects.filter(
user__email=self.user.email).count()
self.assertEqual(0, tokens)
def test_authenticate_inactive(self):
"""
Ensure we can't authenticate if user is inactive
"""
data = {'email': self.user.email, 'password': '******'}
User.objects.filter(id=self.user.id).update(is_active=False)
response = self.client.post(self.url, data, format='json')
content = {
"non_field_errors":
["Unable to log in with provided credentials."]
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
tokens = TemporaryToken.objects.filter(
user__email=self.user.email).count()
self.assertEqual(0, tokens)
def test_authenticate_missing_parameter(self):
"""
Ensure we can't authenticate if "email" or "password" are not
provided.
"""
response = self.client.post(self.url, {}, format='json')
content = {
'password': ['This field is required.'],
'email': ['This field is required.']
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
tokens = TemporaryToken.objects.filter(
user__email=self.user.email).count()
self.assertEqual(0, tokens)
class ResetPasswordTests(APITestCase):
def setUp(self):
self.client = APIClient()
self.user = UserFactory()
self.user.set_password('Test123!')
self.user.is_active = False
self.user.save()
@override_settings(
LOCAL_SETTINGS={
"EMAIL_SERVICE": True,
"FRONTEND_INTEGRATION": {
"FORGOT_PASSWORD_URL": "fake_url",
}
})
def test_create_new_token(self):
"""
Ensure we can have a new token to change our password
"""
data = {
'email': self.user.email,
}
response = self.client.post(
reverse('reset_password'),
data,
format='json',
)
# The token has been created
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
)
self.assertEqual(response.content, b'')
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.assertTrue(len(tokens) == 1)
@override_settings(
LOCAL_SETTINGS={
"EMAIL_SERVICE": True,
"FRONTEND_INTEGRATION": {
"FORGOT_PASSWORD_URL": "fake_url",
}
})
def test_create_new_token_without_email_param(self):
"""
Ensure we can't have a new token to change our password without
give our email in param
"""
data = dict()
response = self.client.post(
reverse('reset_password'),
data,
format='json',
)
# The token has been created
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
)
content = {
'email': ["This field is required."],
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertTrue(len(tokens) == 0)
@override_settings(
LOCAL_SETTINGS={
"EMAIL_SERVICE": True,
"FRONTEND_INTEGRATION": {
"FORGOT_PASSWORD_URL": "fake_url",
}
})
def test_create_new_token_with_an_empty_email_param(self):
"""
Ensure we can't have a new token to change our password without
give our email in param
"""
data = {
'email': '',
}
response = self.client.post(
reverse('reset_password'),
data,
format='json',
)
# The token has been created
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
)
content = {
'email': ["This field may not be blank."],
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertTrue(len(tokens) == 0)
@override_settings(
LOCAL_SETTINGS={
"EMAIL_SERVICE": True,
"FRONTEND_INTEGRATION": {
"FORGOT_PASSWORD_URL": "fake_url",
}
})
def test_create_new_token_with_bad_email(self):
"""
Ensure we can't have a new token to change our password without
a valid email
"""
data = {
'email': 'test',
}
response = self.client.post(
reverse('reset_password'),
data,
format='json',
)
# The token has been created
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
)
content = {'email': ['Enter a valid email address.']}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertTrue(len(tokens) == 0)
@override_settings(
LOCAL_SETTINGS={
"EMAIL_SERVICE": True,
"FRONTEND_INTEGRATION": {
"FORGOT_PASSWORD_URL": "fake_url",
}
})
def test_create_new_token_with_non_existent_email(self):
"""
Ensure we can't have a new token to change our password without
a valid email
"""
data = {
'email': '*****@*****.**',
}
response = self.client.post(
reverse('reset_password'),
data,
format='json',
)
# The token has been created
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
)
content = {'email': ['No account associated to this email address.']}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertTrue(len(tokens) == 0)
@override_settings(
LOCAL_SETTINGS={
"EMAIL_SERVICE": True,
"FRONTEND_INTEGRATION": {
"FORGOT_PASSWORD_URL": "fake_url",
}
})
def test_create_new_token_when_token_already_exist(self):
"""
Ensure we can have a new token to change our password
"""
# We create a token before launch the test
ActionToken.objects.create(
user=self.user,
type='password_change',
)
data = {
'email': self.user.email,
}
response = self.client.post(
reverse('reset_password'),
data,
format='json',
)
# The token has been created
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
expired=False,
)
self.assertEqual(response.content, b'')
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.assertTrue(len(tokens) == 1)
@override_settings(
LOCAL_SETTINGS={
"EMAIL_SERVICE": False,
"FRONTEND_INTEGRATION": {
"FORGOT_PASSWORD_URL": "fake_url",
}
})
def test_create_new_token_without_email_service(self):
"""
Ensure we can have a new token to change our password
"""
data = {
'email': self.user.email,
}
response = self.client.post(
reverse('reset_password'),
data,
format='json',
)
# The token has been created
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
)
self.assertEqual(response.content, b'')
self.assertEqual(response.status_code, status.HTTP_501_NOT_IMPLEMENTED)
self.assertTrue(len(tokens) == 0)
@override_settings(
LOCAL_SETTINGS={
"EMAIL_SERVICE": True,
"FRONTEND_INTEGRATION": {
"FORGOT_PASSWORD_URL": "fake_url",
}
})
@mock.patch('project.services.EmailMessage.send', return_value=0)
def test_create_new_token_with_failure_on_email_service(self, send):
"""
Ensure we can have a new token to change our password
"""
data = {
'email': self.user.email,
}
response = self.client.post(
reverse('reset_password'),
data,
format='json',
)
# The token has been created
tokens = ActionToken.objects.filter(
user=self.user,
type='password_change',
)
content = {
'detail':
"Your token has been created but no email "
"has been sent. Please contact the administration.",
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.assertTrue(len(tokens) == 1)
class TemporaryTokenAuthenticationTests(APITestCase):
def setUp(self):
self.client = APIClient()
self.user = UserFactory()
self.user.set_password('Test123!')
self.user.save()
def test_authenticate(self):
"""
Ensure we can authenticate on the platform by providing a valid
TemporaryToken.
"""
data = {'email': self.user.email, 'password': '******'}
response = self.client.post(reverse('token_api'), data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
token_key = (json.loads(response.content)['token'])
self.client.credentials(HTTP_AUTHORIZATION='Token ' + token_key)
# This could be any url and any method. It is only used to test the
# token authentication.
response = self.client.delete(
reverse(
'authentication-detail',
kwargs={'pk': token_key},
), )
self.assertFalse(TemporaryToken.objects.filter(key=token_key))
self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
@override_settings(
REST_FRAMEWORK_TEMPORARY_TOKENS={
'MINUTES': 30,
'RENEW_ON_SUCCESS': False,
'USE_AUTHENTICATION_BACKENDS': False,
})
def test_authenticate_no_renew(self):
"""
Ensure that a token is not renewed when the authenticated user calls
the API.
"""
data = {'email': self.user.email, 'password': '******'}
response = self.client.post(reverse('token_api'), data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
token_key = (json.loads(response.content)['token'])
token = TemporaryToken.objects.get(key=token_key)
expiration_date = token.expires
self.client.credentials(HTTP_AUTHORIZATION='Token ' + token_key)
# This could be any url and any method. It is only used to test the
# token authentication.
response = self.client.get(
reverse(
'authentication-detail',
kwargs={'pk': token_key},
), )
token.refresh_from_db()
self.assertEqual(expiration_date, token.expires)
self.assertEqual(
response.status_code,
status.HTTP_405_METHOD_NOT_ALLOWED,
)
def test_authenticate_invalid_token(self):
"""
Ensure we can't authenticate on the platform by providing an invalid
TemporaryToken.
"""
self.client.credentials(HTTP_AUTHORIZATION='Token invalid_token')
# This could be any url and any method. It is only used to test the
# token authentication.
response = self.client.delete(
reverse(
'authentication-detail',
kwargs={'pk': 'invalid_token'},
), )
content = {"detail": "Invalid token"}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_authenticate_expired_token(self):
"""
Ensure we can't authenticate on the platform by providing an expired
TemporaryToken.
"""
data = {'email': self.user.email, 'password': '******'}
response = self.client.post(reverse('token_api'), data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
token = TemporaryToken.objects.get(user__email=self.user.email, )
token.expire()
self.client.credentials(HTTP_AUTHORIZATION='Token ' + token.key)
# This could be any url and any method. It is only used to test the
# token authentication.
response = self.client.delete(
reverse(
'authentication-detail',
kwargs={'pk': 'invalid_token'},
), )
content = {'detail': 'Token has expired'}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_authenticate_inactive_user(self):
"""
Ensure we can't authenticate on the platform by providing a valid
TemporaryToken if user is inactive.
"""
data = {'email': self.user.email, 'password': '******'}
response = self.client.post(reverse('token_api'), data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
token = TemporaryToken.objects.get(user__email=self.user.email, )
setattr(self.user, 'is_active', False)
self.user.save()
self.client.credentials(HTTP_AUTHORIZATION='Token ' + token.key)
# This could be any url and any method. It is only used to test the
# token authentication.
response = self.client.delete(
reverse(
'authentication-detail',
kwargs={'pk': token.key},
), )
content = {'detail': 'User inactive or deleted'}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
class UsersActivationTests(APITestCase):
def setUp(self):
self.client = APIClient()
self.user = UserFactory()
self.user.set_password('Test123!')
self.user.is_active = False
self.user.save()
self.activation_token = ActionToken.objects.create(
user=self.user,
type='account_activation',
)
def test_activate_user(self):
"""
Ensure we can activate a user by using an ActionToken.
"""
self.client.force_authenticate(user=self.user)
data = {
'activation_token': self.activation_token.key,
}
response = self.client.post(
reverse('users_activation'),
data,
format='json',
)
# It's the good user
self.assertEqual(json.loads(response.content)['id'], self.user.id)
# We read a new time the user to be synchronized
user_sync = User.objects.get(id=self.user.id)
# The user is now active
self.assertTrue(user_sync.is_active)
# The token has been removed
tokens = ActionToken.objects.filter(
user=user_sync,
type='account_activation',
)
self.assertTrue(len(tokens) == 0)
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_activate_user_with_bad_token(self):
"""
Ensure we can't activate a user without a good ActionToken.
"""
self.client.force_authenticate(user=self.user)
data = {
'activation_token': 'bad_token',
}
response = self.client.post(
reverse('users_activation'),
data,
format='json',
)
content = {
'activation_token': '"bad_token" is not a valid activation_token.'
}
self.assertEqual(json.loads(response.content), content)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)