def test_get_user(self):
"""
When the token is valid, get the right user
"""
user = self.datautils.create_user()
sess = self.datautils.create_session({'user_id': user.id})
result = get_user_from_token(self.session, sess.token)
self.assertEqual(dict_from_row(user), dict_from_row(result))
def test_get_user_and_token_after_creation(self):
"""
If we create a user, we should get a user and a session back
"""
self.request.json_body = deepcopy(self.new_account)
result = users_post_view(self.request)['d']
session = self.session.query(Session).one()
user = self.session.query(User).one()
expected = dict_from_row(user, remove_fields=removals)
expected['session'] = dict_from_row(session, remove_fields=removals)
self.assertEqual(result, expected)
def users_post_view(request):
username = request.json_body.get('username')
if not isinstance(username, basestring):
request.response.status = 400
return {
'd':
error_dict(
'api_errors',
'username, email, and password are all required string fields')
}
if username_in_use(request.json_body['username'], request.dbsession):
request.response.status = 400
return {
'd':
error_dict(
'verification_error',
'username already in use: %s' % request.json_body['username'])
}
requires = ['email', 'password']
if not all(field in request.json_body for field in requires) \
or not all(isinstance(request.json_body.get(field), basestring) for field in request.json_body):
request.response.status = 400
return {
'd':
error_dict(
'api_errors',
'username, email, and password are all required string fields')
}
user = User()
user.salt = os.urandom(256)
user.password = hash_password(request.json_body['password'], user.salt)
user.username = request.json_body['username'].lower()
user.email = request.json_body['email'].lower()
user.origin = request.json_body.get('origin', None)
user.authpin = '123456'
request.dbsession.add(user)
request.dbsession.flush()
request.dbsession.refresh(user)
s = Session()
s.owner = user.id
s.token = str(uuid4())
request.dbsession.add(s)
request.dbsession.flush()
request.dbsession.refresh(s)
result = dict_from_row(user, remove_fields=removals)
result['session'] = dict_from_row(s, remove_fields=removals)
return {'d': result}
def test_password_is_hashed(self):
"""
If we create a user, their password should be a hash
"""
self.request.json_body = deepcopy(self.new_account)
result = users_post_view(self.request)['d']
user = self.session.query(User).one()
expected = dict_from_row(user, remove_fields=removals)
session = self.session.query(Session).one()
expected['session'] = dict_from_row(session, remove_fields=removals)
self.assertEqual(result, expected)
user = self.session.query(User).one()
self.assertNotEqual(user.password, self.new_account['password'])
def test_good_data(self):
"""
If we pass good data, get "OK" and see the stuff changed
"""
self.assertNotEqual(self.request.user.email, self.good_dict['email'])
self.request.json_body = deepcopy(self.good_dict)
result = user_id_put_view(self.request)['d']
self.assertEqual(result, dict_from_row(self.request.user, remove_fields=removals))
self.assertEqual(self.request.user.email, self.good_dict['email'])
def user_id_put_view(request):
if request.user is None:
request.response.status = 400
return {
'd': error_dict('api_errors', 'not authenticated for this request')
}
if not request.matchdict.get('user_id') or int(
request.matchdict.get('user_id')) != request.user.id:
request.response.status = 400
return {
'd': error_dict('api_errors', 'not authenticated for this request')
}
valid_types = {
'email': basestring,
'pin': basestring,
'timezone': datetime,
'infoemails': bool,
}
email = request.json_body.get('email')
authpin = request.json_body.get('authpin')
timezone = request.json_body.get('timezone')
infoemails = request.json_body.get('infoemails')
if not isinstance(email, basestring):
request.response.status = 400
return {
'd': error_dict('api_errors', 'email invalid: must be a string')
}
try:
v = validate_email(email) # validate and get info
email = v["email"] # replace with normalized form
except EmailNotValidError as e:
# email is not valid, exception message is human-readable
request.response.status = 400
return {'d': error_dict('api_errors', 'email invalid: %s' % e)}
password = request.json_body.get('password')
# Password must be optional, since they don't know the old value
if password is not None:
if not isinstance(password, basestring):
request.response.status = 400
return {'d': error_dict('api_errors', 'password must be a string')}
if len(password) < 8:
request.response.status = 400
return {
'd':
error_dict('api_errors',
'password must be at least 8 characters')
}
request.user.password = hash_password(password, request.user.salt)
request.user.email = email
request.dbsession.flush()
request.dbsession.refresh(request.user)
return {'d': dict_from_row(request.user, remove_fields=removals)}
def test_valid_password(self):
"""
When we match the appropriate guidelines, the password should be changed
"""
newpass = '******'
m = hashlib.sha512()
m.update(newpass.encode('utf-8'))
m.update(self.request.user.salt)
hashed = m.digest()
self.request.json_body = deepcopy(self.good_dict)
self.assertNotEqual(self.request.user.password, hashed)
self.request.json_body['password'] = newpass
result = user_id_put_view(self.request)['d']
self.assertEqual(result, dict_from_row(self.request.user, remove_fields=removals))
self.assertEqual(self.request.user.password, hashed)
def user_id_get_view(request):
if request.user is None:
request.response.status = 400
return {
'd': error_dict('api_errors', 'not authenticated for this request')
}
if not request.matchdict.get('user_id') or int(
request.matchdict.get('user_id')) != request.user.id:
request.response.status = 400
return {
'd': error_dict('api_errors', 'not authenticated for this request')
}
user = request.user
result = dict_from_row(user, remove_fields=removals)
return {'d': result}
