def test_session_fixation(self):
"""Ensure if session is empty that a new session is given."""
user1 = create_account('user1', '*****@*****.**', 'Password')
activate(user1)
resp = self.client.post(url_for('auth.signin'), data={
'username': '******',
'password': '******'
})
session_id = None
for header in resp.headers:
if header[0] == 'Set-Cookie':
session_id = parse_cookie(header[1])['session']
rs.delete(session_id)
resp = self.client.post(url_for('auth.signin'), data={
'username': '******',
'password': '******'
})
# Find the Set-Cookie header so we can parse it and check the session
# identifier has been updated
for header in resp.headers:
if header[0] == 'Set-Cookie':
self.assertNotEqual(session_id,
parse_cookie(header[1])['session'])
def test_session_fixation(self):
"""Ensure if session is empty that a new session is given."""
user1 = create_account('user1', '*****@*****.**', 'Password')
activate(user1)
resp = self.client.post(url_for('auth.signin'),
data={
'username': '******',
'password': '******'
})
session_id = None
for header in resp.headers:
if header[0] == 'Set-Cookie':
session_id = parse_cookie(header[1])['session']
rs.delete(session_id)
resp = self.client.post(url_for('auth.signin'),
data={
'username': '******',
'password': '******'
})
# Find the Set-Cookie header so we can parse it and check the session
# identifier has been updated
for header in resp.headers:
if header[0] == 'Set-Cookie':
self.assertNotEqual(session_id,
parse_cookie(header[1])['session'])
def test_session_fixation(self):
"""Ensure if session is empty that a new session is given."""
user1 = create_account("user1", "*****@*****.**", "Password")
activate(user1)
resp = self.client.post(url_for("auth.signin"), data={"username": "******", "password": "******"})
session_id = None
for header in resp.headers:
if header[0] == "Set-Cookie":
session_id = parse_cookie(header[1])["session"]
rs.delete(session_id)
resp = self.client.post(url_for("auth.signin"), data={"username": "******", "password": "******"})
# Find the Set-Cookie header so we can parse it and check the session
# identifier has been updated
for header in resp.headers:
if header[0] == "Set-Cookie":
self.assertNotEqual(session_id, parse_cookie(header[1])["session"])
def test_signin_signout(self):
"""
These functions will test the signin and signout endpoints. We will use
url_for so that we can change the URIs in the future.
"""
# Test that we can GET the signin page
resp = self.client.get(url_for('auth.signin'))
# We should get a 200 with an error message if we were not successful
self.assertEqual(resp.status_code, 200)
# There is no user in the system check that we can't authenticate
resp = self.client.post(url_for('auth.signin'), data={
'username': '******',
'password': '******'
})
# We should get a 200 with an error message if we were not successful
self.assertEqual(resp.status_code, 200)
self.assertIn('Invalid user name or password', resp.data)
# Why we are here we will just check that logging in doesn't raise an
# issue if not logged in
resp = self.client.get(url_for('auth.signout'))
# We should be 302 redirected to /signin
self.assertEqual(resp.status_code, 302)
# There is nothing we can really check as we do not flash() as message
# Create a test user and try loggin in, should fail as the user isn't
# activated
user1 = create_account('user1', '*****@*****.**', 'Password')
resp = self.client.post(url_for('auth.signin'), data={
'username': '******',
'password': '******'
})
# We should get a 200 with an information message
self.assertEqual(resp.status_code, 200)
self.assertIn('Please activate your account', resp.data)
# Activate account
self.assertTrue(activate(user1))
resp = self.client.post(url_for('auth.signin'), data={
'username': '******',
'password': '******',
'keep_signed_in': True
})
# Check we are redirected
self.assertEqual(resp.status_code, 302)
# Log back out
self.client.get(url_for('auth.signout'))
# Test that the correct warning is shown if the user is banned
self.assertTrue(ban(user1))
resp = self.client.post(url_for('auth.signin'), data={
'username': '******',
'password': '******'
})
# We should get a 200 with an information message
self.assertEqual(resp.status_code, 200)
self.assertIn('You\'re a very naughty boy!', resp.data)
# Lets unban the user now so we can carry on
self.assertTrue(ban(user1, False))
# Now the user is active and not banned actualy log in
resp = self.client.post(url_for('auth.signin'), data={
'username': '******',
'password': '******'
}, follow_redirects=True)
self.assertEqual(resp.status_code, 200)
self.assertIn('<h1>Feed</h1>', resp.data)
# Attempt to try and get back to login when we are already logged in
resp = self.client.get(url_for('auth.signin'))
self.assertEqual(resp.status_code, 302)
# Now we are logged in lets just ensure logout doesn't do anything daft
# We should be redirected back to /
resp = self.client.get(url_for('auth.signout'), follow_redirects=True)
# We should have been 302 redirected to /signin
self.assertEqual(resp.status_code, 200)
self.assertIn('Successfully signed out', resp.data)
# Lets try and cheat the system
# Attempt invalid Password
resp = self.client.post(url_for('auth.signin'), data={
'username': '******',
'password': '******'
}, follow_redirects=True)
# We should get a 200 with an error message if we were not successful
self.assertEqual(resp.status_code, 200)
self.assertIn('Invalid user name or password', resp.data)
# Attempt user does not exist
resp = self.client.post(url_for('auth.signin'), data={
'username': '******',
'password': '******'
})
# We should get a 200 with an error message if we were not successful
self.assertEqual(resp.status_code, 200)
self.assertIn('Invalid user name or password', resp.data)
# Log the user in and ensure they are logged out if there account
# is banned during using the site and not just at login
resp = self.client.post(url_for('auth.signin'), data={
'username': '******',
'password': '******'
}, follow_redirects=True)
self.assertEqual(resp.status_code, 200)
self.assertIn('<h1>Feed</h1>', resp.data)
# Lets go to another view, we will check out profile and look for our
# username
resp = self.client.get(url_for('users.settings_profile'))
self.assertEqual(resp.status_code, 200)
self.assertIn('*****@*****.**', resp.data)
# Let's ban the user now
self.assertTrue(ban(user1))
# Attempt to get to the feed
resp = self.client.get(url_for('users.feed'), follow_redirects=True)
# We should be redirected to signin with the standard message
self.assertEqual(resp.status_code, 200)
self.assertIn('You\'re a very naughty boy!', resp.data)
# Adding test from form.validate() == False in signup
# Coverage
resp = self.client.post(url_for('auth.signin'), data={
'username': '',
'password': ''
}, follow_redirects=True)
self.assertEqual(resp.status_code, 200)
self.assertIn('Invalid user name or password', resp.data)
# Log in with user1 and remove the session part way through
resp = self.client.post(url_for('auth.signin'), data={
'username': '******',
'password': '******'
}, follow_redirects=True)
self.assertEqual(resp.status_code, 200)
# Find the Set-Cookie header so we can parse then delete it
session_id = None
for header in resp.headers:
if header[0] == 'Set-Cookie':
session_id = parse_cookie(header[1])['session']
rs.delete(session_id)
resp = self.client.get(url_for('users.profile', username='******'),
follow_redirects=True)
self.assertIn('You need to be logged in to view that', resp.data)
# Find the Set-Cookie header so we can parse it and check the session
# identifier has been updated
for header in resp.headers:
if header[0] == 'Set-Cookie':
self.assertNotEqual(session_id,
parse_cookie(header[1])['session'])
