def test_logout(self):
with self.client:
add_user('test', '*****@*****.**', 'testtest')
access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest')
response = self.client.post('/sanity/protected', headers={'X-CSRF-TOKEN': access_csrf})
data = json.loads(response.data.decode())
self.assertTrue(data['msg'] == 'success')
self.assertTrue(response.content_type == 'application/json')
self.assertEqual(response.status_code, 200)
response = self.client.post('/auth/logout', headers={'X-CSRF-TOKEN': access_csrf})
data = json.loads(response.data.decode())
self.assertTrue(data['logout'])
self.assertTrue(response.content_type == 'application/json')
self.assertEqual(response.status_code, 200)
response = self.client.post('/sanity/protected', headers={'X-CSRF-TOKEN': access_csrf})
data = json.loads(response.data.decode())
self.assertTrue(data['msg'] == "Missing cookie \"access_token_cookie\"")
self.assertTrue(response.content_type == 'application/json')
self.assertEqual(response.status_code, 401)
def test_change_password_wrong_old(self):
with self.client:
add_user('test', '*****@*****.**', 'testtest')
access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest')
response = self.client.post('/auth/changepassword', headers={'X-CSRF-TOKEN': access_csrf})
response = self.client.post(
'/auth/changepassword',
data=json.dumps(dict(
old_password='******',
new_password='******'
)),
content_type='application/json',
headers={'X-CSRF-TOKEN': access_csrf}
)
data = json.loads(response.data.decode())
self.assertTrue(data['msg'] == 'Incorrect password')
response = self.client.post(
'/auth/login',
data=json.dumps(dict(
email='*****@*****.**',
password='******'
)),
content_type='application/json'
)
data = json.loads(response.data.decode())
self.assertFalse(data['login'])
def test_add_user_duplicate_email(self):
"""Ensure error is thrown if the email already exists."""
user = login_user(self, admin=True)
token = user['token']
with self.client:
self.client.post('/users',
data=json.dumps({
'username': '******',
'email': '*****@*****.**',
'password': '******'
}),
content_type='application/json',
headers={'Authorization': f'Bearer: {token}'})
response = self.client.post(
'/users',
data=json.dumps({
'username': '******',
'email': '*****@*****.**',
'password': '******'
}),
content_type='application/json',
headers={'Authorization': f'Bearer: {token}'})
data = json.loads(response.data.decode())
self.assertEqual(response.status_code, 400)
self.assertIn('Sorry. That email already exists.', data['message'])
self.assertIn('fail', data['status'])
def test_activate_ok(self):
with self.client:
add_user('existing', '*****@*****.**', 'existingexisting', active=False)
add_user('test', '*****@*****.**', 'testtest', cbl_member=True)
token = encode_url_token('invite', '*****@*****.**')
url = 'auth/activate?id={}'.format(token)
response = self.client.post(
url,
data=json.dumps(dict(
email='*****@*****.**',
username='******',
password='******'
)),
content_type='application/json'
)
data = json.loads(response.data.decode())
self.assertTrue(data['msg'] == 'Account activated')
self.assertTrue(response.content_type == 'application/json')
self.assertEqual(response.status_code, 200)
access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest')
response = self.client.post('/sanity/protected', headers={'X-CSRF-TOKEN': access_csrf})
data = json.loads(response.data.decode())
self.assertTrue(data['msg'] == 'success')
self.assertTrue(response.content_type == 'application/json')
self.assertEqual(response.status_code, 200)
def test_add_user_duplicate_email(self):
"""Ensure error is thrown if the email already exists."""
with self.client:
add_admin('test', '*****@*****.**', 'test')
token = login_user(self.client, '*****@*****.**', 'test')
self.client.post(
'/users',
data=json.dumps({
'username': '******',
'email': '*****@*****.**',
'password': '******'
}),
content_type='application/json',
headers={'Authorization': f'Bearer {token}'},
)
response = self.client.post(
'/users',
data=json.dumps({'email': '*****@*****.**'}),
content_type='application/json',
headers={'Authorization': f'Bearer {token}'},
)
data = json.loads(response.data.decode())
self.assertEqual(response.status_code, 400)
self.assertIn('Sorry. That email already exists.', data['message'])
self.assertIn('fail', data['status'])
def test_registered_user_login(self, mock_validate_recaptcha):
# with self.client:
add_user('test', '*****@*****.**', 'test')
response = login_user('*****@*****.**', 'test')
data = json.loads(response.data.decode())
self.assertTrue(data['status'] == 'success')
self.assertTrue(data['message'] == 'Successfully logged in.')
self.assertTrue(data['auth_token'])
self.assertTrue(response.content_type == 'application/json')
self.assertEqual(response.status_code, 200)
def test_refresh(self):
with self.client:
add_user('test', '*****@*****.**', 'testtest')
access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest', refresh_only=True)
response = self.client.post('/auth/refresh', headers={'X-CSRF-TOKEN': refresh_csrf})
data = json.loads(response.data.decode())
self.assertTrue(data['refresh'])
self.assertTrue(response.content_type == 'application/json')
self.assertEqual(response.status_code, 200)
def test_protected_no_access(self):
with self.client:
add_user('test', '*****@*****.**', 'testtest')
access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest', refresh_only=True)
response = self.client.post('/sanity/protected', headers={'X-CSRF-TOKEN': refresh_csrf})
data = json.loads(response.data.decode())
self.assertTrue(data['msg'] == "CSRF double submit tokens do not match")
self.assertTrue(response.content_type == 'application/json')
self.assertEqual(response.status_code, 401)
def test_protected_with_auth(self):
"""Protected endpoint, with login """
with self.client:
add_user('test', '*****@*****.**', 'testtest')
access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest')
response = self.client.post('/sanity/protected', headers={'X-CSRF-TOKEN': access_csrf})
data = json.loads(response.data.decode())
self.assertTrue(data['msg'] == 'success')
self.assertTrue(response.content_type == 'application/json')
self.assertEqual(response.status_code, 200)
def test_add_user_invalid_json(self):
"""Ensure error is thrown if the JSON object is empty"""
with self.client:
add_admin('test', '*****@*****.**', 'test')
token = login_user(self.client, '*****@*****.**', 'test')
response = self.client.post(
'/users',
data=json.dumps({}),
content_type='application/json',
headers={'Authorization': f'Bearer {token}'},
)
data = json.loads(response.data.decode())
self.assertEqual(response.status_code, 400)
self.assertIn('Invalid payload.', data['message'])
self.assertIn('fail', data['status'])
def test_claims(self):
"""Load user details from claim """
with self.client:
add_user('test', '*****@*****.**', 'testtest')
access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest')
response = self.client.post('/sanity/claim', headers={'X-CSRF-TOKEN': access_csrf})
data = json.loads(response.data.decode())
self.assertTrue(data['email'] == '*****@*****.**')
self.assertFalse(data['cbl_member'])
self.assertTrue(data['username'] == 'test')
self.assertTrue(response.content_type == 'application/json')
self.assertEqual(response.status_code, 200)
def test_add_user_inactive(self):
user = login_user(self, active=False)
token = user['token']
with self.client:
response = self.client.post(
'/users',
data=json.dumps({
'username': '******',
'email': '*****@*****.**',
'password': '******'
}),
content_type='application/json',
headers={'Authorization': f'Bearer {token}'})
data = json.loads(response.data.decode())
self.assertTrue(data['status'] == 'fail')
self.assertTrue(data['message'] == 'Provide a valid auth token.')
self.assertEqual(response.status_code, 401)
def test_add_user_invalid_json_keys_no_password(self):
"""
Ensure error is thrown if the JSON object
does not have a password key.
"""
user = login_user(self, admin=True)
token = user['token']
with self.client:
response = self.client.post(
'/users',
data=json.dumps(dict(username='******', email='*****@*****.**')),
content_type='application/json',
headers={'Authorization': f'Bearer {token}'})
data = json.loads(response.data.decode())
self.assertEqual(response.status_code, 400)
self.assertIn('Invalid payload.', data['message'])
self.assertIn('fail', data['status'])
def test_add_user_invalid_json_keys(self):
"""Ensure error is thrown if the JSON object does not have a username key."""
with self.client:
add_admin('test', '*****@*****.**', 'test')
token = login_user(self.client, '*****@*****.**', 'test')
response = self.client.post(
'/users',
data=json.dumps({
'email': '*****@*****.**',
'password': '******'
}),
content_type='application/json',
headers={'Authorization': f'Bearer {token}'},
)
data = json.loads(response.data.decode())
self.assertEqual(response.status_code, 400)
self.assertIn('Invalid payload.', data['message'])
self.assertIn('fail', data['status'])
def test_add_user_not_admin(self):
user = login_user(self)
token = user['token']
with self.client:
response = self.client.post(
'/users',
data=json.dumps({
'username': '******',
'email': '*****@*****.**',
'password': '******'
}),
content_type='application/json',
headers={'Authorization': f'Bearer {token}'})
data = json.loads(response.data.decode())
self.assertTrue(data['status'] == 'fail')
self.assertTrue(
data['message'] == 'You do not have permission to do that.')
self.assertEqual(response.status_code, 401)
def test_add_user(self):
"""Ensure a new user can be added to the database."""
user = login_user(self, admin=True)
token = user['token']
with self.client:
response = self.client.post(
'/users',
data=json.dumps({
'username': '******',
'email': '*****@*****.**',
'password': '******'
}),
content_type='application/json',
headers={'Authorization': f'Bearer {token}'})
data = json.loads(response.data.decode())
self.assertEqual(response.status_code, 201)
self.assertIn('[email protected] was added!', data['message'])
self.assertIn('success', data['status'])
def test_add_user(self):
"""Ensure a new user can be added to the database."""
with self.client:
add_admin('test', '*****@*****.**', 'test')
token = login_user(self.client, '*****@*****.**', 'test')
response = self.client.post(
'/users',
data=json.dumps({
'username': '******',
'password': '******',
'email': '*****@*****.**'
}),
content_type='application/json',
headers={'Authorization': f'Bearer {token}'},
)
data = json.loads(response.data.decode())
self.assertEqual(response.status_code, 201)
self.assertIn('[email protected] was added!', data['message'])
self.assertIn('success', data['status'])
def test_blacklist(self):
with self.client:
add_user('test', '*****@*****.**', 'testtest')
access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest')
response = self.client.post('/sanity/protected', headers={'X-CSRF-TOKEN': access_csrf})
data = json.loads(response.data.decode())
self.assertTrue(data['msg'] == 'success')
self.assertTrue(response.content_type == 'application/json')
self.assertEqual(response.status_code, 200)
revoke_jwt(access_token, app.config['JWT_ACCESS_TOKEN_EXPIRES'] * 1.2)
response = self.client.post('/sanity/protected', headers={'X-CSRF-TOKEN': access_csrf})
data = json.loads(response.data.decode())
self.assertTrue(data['msg'] == 'Token has been revoked')
self.assertTrue(response.content_type == 'application/json')
self.assertEqual(response.status_code, 401)
def test_invite_not_cbl(self):
with self.client:
add_user('test', '*****@*****.**', 'testtest')
access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest')
response = self.client.post(
'/auth/createinvite',
data=json.dumps(dict(
email='*****@*****.**',
name='example'
)),
content_type='application/json',
headers={'X-CSRF-TOKEN': access_csrf}
)
data = json.loads(response.data.decode())
self.assertTrue(data['msg'] == "Core CBL members only")
self.assertTrue(response.content_type == 'application/json')
self.assertEqual(response.status_code, 403)
def test_invite_existing_active(self):
with self.client:
add_user('existing', '*****@*****.**', 'existingexisting', active=True, disabled=False)
add_user('test', '*****@*****.**', 'testtest', cbl_member=True)
access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest')
response = self.client.post(
'/auth/createinvite',
data=json.dumps(dict(
email='*****@*****.**',
name='existing',
suppress_email=True
)),
content_type='application/json',
headers={'X-CSRF-TOKEN': access_csrf}
)
data = json.loads(response.data.decode())
self.assertTrue(data['msg'] == "User already exists")
self.assertTrue(response.content_type == 'application/json')
self.assertEqual(response.status_code, 409)
