class TestForgotAndResetPasswordViews(OsfTestCase):
def setUp(self):
super(TestForgotAndResetPasswordViews, self).setUp()
self.user = AuthUserFactory()
self.key = random_string(20)
# manually set verifification key
self.user.verification_key = self.key
self.user.save()
self.url = web_url_for('reset_password', verification_key=self.key)
def test_reset_password_view_returns_200(self):
res = self.app.get(self.url)
assert_equal(res.status_code, 200)
def test_can_reset_password_if_form_success(self):
res = self.app.get(self.url)
form = res.forms['resetPasswordForm']
form['password'] = '******'
form['password2'] = 'newpassword'
res = form.submit()
# password was updated
self.user.reload()
assert_true(self.user.check_password('newpassword'))
@unittest.skip('TODO: Get this working with CAS setup')
def test_reset_password_logs_out_user(self):
another_user = AuthUserFactory()
# visits reset password link while another user is logged in
res = self.app.get(self.url, auth=another_user.auth)
assert_equal(res.status_code, 200)
# We check if another_user is logged in by checking if
# their full name appears on the page (it should be in the navbar).
# Yes, this is brittle.
assert_not_in(another_user.fullname, res)
# make sure the form is on the page
assert_true(res.forms['resetPasswordForm'])
class TestForgotAndResetPasswordViews(OsfTestCase):
def setUp(self):
super(TestForgotAndResetPasswordViews, self).setUp()
self.user = AuthUserFactory()
self.key = random_string(20)
# manually set verifification key
self.user.verification_key = self.key
self.user.save()
self.url = web_url_for('reset_password', verification_key=self.key)
def test_reset_password_view_returns_200(self):
res = self.app.get(self.url)
assert_equal(res.status_code, 200)
def test_can_reset_password_if_form_success(self):
res = self.app.get(self.url)
form = res.forms['resetPasswordForm']
form['password'] = '******'
form['password2'] = 'newpassword'
res = form.submit()
# password was updated
self.user.reload()
assert_true(self.user.check_password('newpassword'))
@unittest.skip('TODO: Get this working with CAS setup')
def test_reset_password_logs_out_user(self):
another_user = AuthUserFactory()
# visits reset password link while another user is logged in
res = self.app.get(self.url, auth=another_user.auth)
assert_equal(res.status_code, 200)
# We check if another_user is logged in by checking if
# their full name appears on the page (it should be in the navbar).
# Yes, this is brittle.
assert_not_in(another_user.fullname, res)
# make sure the form is on the page
assert_true(res.forms['resetPasswordForm'])
class TestResetPassword(OsfTestCase):
def setUp(self):
super(TestResetPassword, self).setUp()
self.user = AuthUserFactory()
self.another_user = AuthUserFactory()
self.osf_key_v2 = generate_verification_key(verification_type='password')
self.user.verification_key_v2 = self.osf_key_v2
self.user.verification_key = None
self.user.save()
self.get_url = web_url_for(
'reset_password_get',
uid=self.user._id,
token=self.osf_key_v2['token']
)
self.get_url_invalid_key = web_url_for(
'reset_password_get',
uid=self.user._id,
token=generate_verification_key()
)
self.get_url_invalid_user = web_url_for(
'reset_password_get',
uid=self.another_user._id,
token=self.osf_key_v2['token']
)
# successfully load reset password page
def test_reset_password_view_returns_200(self):
res = self.app.get(self.get_url)
assert_equal(res.status_code, 200)
# raise http 400 error
def test_reset_password_view_raises_400(self):
res = self.app.get(self.get_url_invalid_key, expect_errors=True)
assert_equal(res.status_code, 400)
res = self.app.get(self.get_url_invalid_user, expect_errors=True)
assert_equal(res.status_code, 400)
self.user.verification_key_v2['expires'] = dt.datetime.utcnow()
self.user.save()
res = self.app.get(self.get_url, expect_errors=True)
assert_equal(res.status_code, 400)
# successfully reset password
@mock.patch('framework.auth.cas.CasClient.service_validate')
def test_can_reset_password_if_form_success(self, mock_service_validate):
# load reset password page and submit email
res = self.app.get(self.get_url)
form = res.forms['resetPasswordForm']
form['password'] = '******'
form['password2'] = 'newpassword'
res = form.submit()
# check request URL is /resetpassword with username and new verification_key_v2 token
request_url_path = res.request.path
assert_in('resetpassword', request_url_path)
assert_in(self.user._id, request_url_path)
assert_not_in(self.user.verification_key_v2['token'], request_url_path)
# check verification_key_v2 for OSF is destroyed and verification_key for CAS is in place
self.user.reload()
assert_equal(self.user.verification_key_v2, {})
assert_not_equal(self.user.verification_key, None)
# check redirection to CAS login with username and the new verification_key(CAS)
assert_equal(res.status_code, 302)
location = res.headers.get('Location')
assert_true('login?service=' in location)
assert_true('username={}'.format(self.user.username) in location)
assert_true('verification_key={}'.format(self.user.verification_key) in location)
# check if password was updated
self.user.reload()
assert_true(self.user.check_password('newpassword'))
# check if verification_key is destroyed after service validation
mock_service_validate.return_value = cas.CasResponse(
authenticated=True,
user=self.user._primary_key,
attributes={'accessToken': fake.md5()}
)
ticket = fake.md5()
service_url = 'http://accounts.osf.io/?ticket=' + ticket
cas.make_response_from_ticket(ticket, service_url)
assert_equal(self.user.verification_key, None)
# log users out before they land on reset password page
def test_reset_password_logs_out_user(self):
# visit reset password link while another user is logged in
res = self.app.get(self.get_url, auth=self.another_user.auth)
# check redirection to CAS logout
assert_equal(res.status_code, 302)
location = res.headers.get('Location')
assert_not_in('reauth', location)
assert_in('logout?service=', location)
assert_in('resetpassword', location)
class TestResetPassword(OsfTestCase):
def setUp(self):
super(TestResetPassword, self).setUp()
self.user = AuthUserFactory()
self.another_user = AuthUserFactory()
self.osf_key_v2 = generate_verification_key(
verification_type='password')
self.user.verification_key_v2 = self.osf_key_v2
self.user.verification_key = None
self.user.save()
self.get_url = web_url_for('reset_password_get',
uid=self.user._id,
token=self.osf_key_v2['token'])
self.get_url_invalid_key = web_url_for(
'reset_password_get',
uid=self.user._id,
token=generate_verification_key())
self.get_url_invalid_user = web_url_for('reset_password_get',
uid=self.another_user._id,
token=self.osf_key_v2['token'])
# successfully load reset password page
def test_reset_password_view_returns_200(self):
res = self.app.get(self.get_url)
assert_equal(res.status_code, 200)
# raise http 400 error
def test_reset_password_view_raises_400(self):
res = self.app.get(self.get_url_invalid_key, expect_errors=True)
assert_equal(res.status_code, 400)
res = self.app.get(self.get_url_invalid_user, expect_errors=True)
assert_equal(res.status_code, 400)
self.user.verification_key_v2['expires'] = dt.datetime.utcnow()
self.user.save()
res = self.app.get(self.get_url, expect_errors=True)
assert_equal(res.status_code, 400)
# successfully reset password
@mock.patch('framework.auth.cas.CasClient.service_validate')
def test_can_reset_password_if_form_success(self, mock_service_validate):
# load reset password page and submit email
res = self.app.get(self.get_url)
form = res.forms['resetPasswordForm']
form['password'] = '******'
form['password2'] = 'newpassword'
res = form.submit()
# check request URL is /resetpassword with username and new verification_key_v2 token
request_url_path = res.request.path
assert_in('resetpassword', request_url_path)
assert_in(self.user._id, request_url_path)
assert_not_in(self.user.verification_key_v2['token'], request_url_path)
# check verification_key_v2 for OSF is destroyed and verification_key for CAS is in place
self.user.reload()
assert_equal(self.user.verification_key_v2, {})
assert_not_equal(self.user.verification_key, None)
# check redirection to CAS login with username and the new verification_key(CAS)
assert_equal(res.status_code, 302)
location = res.headers.get('Location')
assert_true('login?service=' in location)
assert_true('username={}'.format(self.user.username) in location)
assert_true('verification_key={}'.format(self.user.verification_key) in
location)
# check if password was updated
self.user.reload()
assert_true(self.user.check_password('newpassword'))
# check if verification_key is destroyed after service validation
mock_service_validate.return_value = cas.CasResponse(
authenticated=True,
user=self.user._primary_key,
attributes={'accessToken': fake.md5()})
ticket = fake.md5()
service_url = 'http://accounts.osf.io/?ticket=' + ticket
cas.make_response_from_ticket(ticket, service_url)
assert_equal(self.user.verification_key, None)
# log users out before they land on reset password page
def test_reset_password_logs_out_user(self):
# visit reset password link while another user is logged in
res = self.app.get(self.get_url, auth=self.another_user.auth)
# check redirection to CAS logout
assert_equal(res.status_code, 302)
location = res.headers.get('Location')
assert_not_in('reauth', location)
assert_in('logout?service=', location)
assert_in('resetpassword', location)
