def test_expired_tokens_garbage_collected(self):
with set_datetime(2019, 1, 1, 10, 0):
token = AuthToken.generate('test', self.user)
token.save()
self.assertEqual(AuthToken.objects.count(), 1)
with set_datetime(2019, 1, 1, 15, 59):
# Not expired.
AuthToken.garbage_collect()
self.assertEqual(AuthToken.objects.count(), 1)
with set_datetime(2019, 1, 1, 16, 1):
# Expired.
AuthToken.garbage_collect()
self.assertEqual(AuthToken.objects.count(), 0)
def test_invalid_tokens_garbage_collected(self):
with set_datetime(2019, 1, 1, 10, 0):
token = AuthToken.generate('test', self.user)
token.save()
self.assertEqual(AuthToken.objects.count(), 1)
with set_datetime(2019, 1, 1, 15, 59):
# Not invalid.
AuthToken.garbage_collect()
self.assertEqual(AuthToken.objects.count(), 1)
# Invalid.
self.user.is_active = False
self.user.save()
AuthToken.garbage_collect()
self.assertEqual(AuthToken.objects.count(), 0)
def test_token_access_works(self):
with set_datetime(2019, 1, 1, 10, 0):
token = AuthToken.generate('test', self.user)
token.save()
token = AuthToken.objects.get()
self.assertNotEqual(token.code, None)
# One minute before expiration.
with set_datetime(2019, 1, 1, 10, 59):
r = self.json('/user/auth/token',
data={
'client_id': 'test',
'client_secret': CLIENT_SECRET,
'code': token.code,
})
self.assertEqual(r.status_code, 200)
json = r.json()
self.assertEqual(json['refresh_token'], token.refresh_token)
self.assertEqual(json['user']['pk'], self.user.pk)
self.assertEqual(json['user']['username'], self.user.username)
self.assertEqual(json['user']['is_staff'], self.user.is_staff)
expires = parse_datetime(json['expires'])
self.assertTrue(timezone.is_aware(token.expiration_datetime()))
self.assertTrue(timezone.is_aware(expires))
self.assertEqual(expires, token.expiration_datetime())
def get_redirect_url(self, *args, **kwargs):
initiator_name = self.request.GET.get(self.client_id_query)
state = self.request.GET.get(self.state_query)
if not state:
raise ValueError("missing state")
client = settings.AUTH_TOKEN_CLIENTS[initiator_name]
auth_token = AuthToken.generate(initiator_name, self.request.user)
auth_token.save()
# Piggy-back on the view to do garbage collection.
AuthToken.garbage_collect()
redirect_data = {'code': auth_token.code, 'state': state}
if 'next' in self.request.GET:
redirect_data['next'] = self.request.GET.get('next')
return client.redirect_url + '?' + urlencode(redirect_data)
def post(self, request, *args, **kwargs):
def error(reason):
return HttpResponseBadRequest(json.dumps({"error": reason}))
if request.content_type != 'application/json':
return error("expected JSON payload")
try:
payload = json.loads(request.body.decode())
client_id = payload[self.client_id_param]
client_secret = payload[self.client_secret_param]
identifier = self.get_identifier(payload)
except Exception:
return error("malformed JSON payload")
try:
client = settings.AUTH_TOKEN_CLIENTS[client_id]
except KeyError:
return error("unknown client")
if not constant_time_compare(client.secret, client_secret):
return error("invalid client secret")
try:
auth_token = self.get_token(client_id, identifier)
except ObjectDoesNotExist:
return error("token does not exist (may have expired)")
except Exception as exc:
return error(
"unexpected error while retrieving token: {}".format(exc))
self.on_success(auth_token)
# Piggy-back on the view to do garbage collection.
AuthToken.garbage_collect()
return JsonResponse(auth_token.as_dict())
def test_token_refresh_expired(self):
with set_datetime(2019, 1, 1, 10, 0):
token = AuthToken.generate('test', self.user)
token.save()
# One minute after expiration.
with set_datetime(2019, 1, 1, 16, 1):
r = self.json('/user/auth/refresh',
data={
'client_id': 'test',
'client_secret': CLIENT_SECRET,
'refresh_token': token.refresh_token,
})
self.assertEqual(r.status_code, 400)
def create_user(request):
if request.method == "POST":
try:
post_data = json.loads(request.body)
first_name = post_data["first_name"]
last_name = post_data["last_name"]
username = post_data["username"]
email = post_data["email"]
password = post_data["password"]
confirm_password = post_data["confirm_password"]
except KeyError:
return JsonResponse({'msg': "Field not found!"}, status=400)
except Exception as e:
print(e)
return JsonResponse({'msg': "Error occured at server"}, status=500)
isValid, errors = validate(first_name, last_name, username, email,
password, confirm_password)
if (isValid):
password = hashlib.sha256(password.encode()).hexdigest()
try:
user = User()
user.first_name = first_name
user.last_name = last_name
user.username = username
user.email = email
user.password = password
user.save()
token = generate_token()
auth_token = AuthToken()
auth_token.user = user
auth_token.token = token
auth_token.save()
response = JsonResponse(
{'msg': "<h1>User created Successfully!"}, status=200)
response.set_cookie("auth_token",
token,
max_age=365 * 24 * 60 * 60)
return response
except Exception as e:
print(e)
return JsonResponse(
{'msg': "Unable to Create User, Please try again Later!"},
status=500)
else:
return JsonResponse({'error': errors}, safe=False, status=400)
return JsonResponse({'msg': "Invalid Method"})
def test_token_access_works_one_time(self):
with set_datetime(2019, 1, 1, 10, 0):
token = AuthToken.generate('test', self.user)
token.save()
# One minute before expiration.
with set_datetime(2019, 1, 1, 10, 59):
r = self.json('/user/auth/token',
data={
'client_id': 'test',
'client_secret': CLIENT_SECRET,
'code': token.code,
})
# OK the first time.
self.assertEqual(r.status_code, 200)
r = self.json('/user/auth/token',
data={
'client_id': 'test',
'client_secret': CLIENT_SECRET,
'code': token.code,
})
# Error the other times.
self.assertEqual(r.status_code, 400)
def login(request):
try:
if request.method == "POST":
post_data = json.loads(request.body)
username = post_data["username"]
password = post_data["password"]
password = hashlib.sha256(password.encode()).hexdigest()
user = User.objects.filter(username=username, password=password)
if is_user_exist(user):
user = user.first()
serialized_user = UserSerializer(user, many=False)
token = generate_token()
auth_token = AuthToken()
auth_token.user = user
auth_token.token = token
auth_token.save()
response = JsonResponse(serialized_user.data, safe=False)
response.set_cookie("auth_token",
token,
max_age=365 * 24 * 60 * 60)
return response
else:
return JsonResponse({"error": "Invalid Username or Password!"},
safe=False,
status=400)
except KeyError:
return JsonResponse({'error': "Please provide all the fields"},
status=400)
except Exception as e:
return JsonResponse({'error': 'Internal Server Error!'}, status=500)
else:
return JsonResponse({'error': "Invalid Method"}, status=400)
def get_token(self, initiator_name, refresh_token):
return AuthToken.verify_for_refresh(initiator_name, refresh_token)
def get_token(self, initiator_name, code):
return AuthToken.verify_for_access(initiator_name, code)