Example #1
0
 def setUp(self):
     self._password = faker.password()
     self._user = BaseUserFactory()
     self._user.set_password(self._password)
     self._user.is_active = True
     self._user.save()
     self._init_secret_key = self._user.secret_key
Example #2
0
 def setUp(self):
     self._username = faker.user_name()
     self._password = faker.password()
     self._user = BaseUserFactory(username=self._username)
     self._user.set_password(self._password)
     self._user.is_active = True
     self._user.save()
     self._url_login = reverse('api:auth:login')
Example #3
0
class LogoutTests(TestCase):
    def setUp(self):
        self.user = BaseUserFactory()

    def test_logout_rotates_user_secret_key(self):
        key_before = self.user.secret_key

        logout(user=self.user)
        self.user.refresh_from_db()

        self.assertNotEqual(key_before, self.user.secret_key)
Example #4
0
 def setUp(self):
     self._username = faker.user_name()
     self._password = faker.password()
     self._user = BaseUserFactory(username=self._username)
     self._user.set_password(self._password)
     self._user.is_active = True
     self._user.save()
     self._url_login = reverse('api:auth:login')
     self._url_logout = reverse('api:auth:logout')
     self._url_change_password = reverse('api:auth:change-password')
     self._data = {'username': self._username, 'password': self._password}
 def setUp(self):
     self._username = faker.user_name()
     self._password = faker.password()
     self._user = BaseUserFactory(username=self._username)
     self._user.set_password(self._password)
     self._user.is_active = True
     self._user.save()
     self._init_secret_key = self._user.secret_key
     self._url_login = reverse('api:auth:login')
     self._url_logout = reverse('api:auth:logout')
     self._url_user_detail_url = reverse('api:auth:user-detail')
     self._data = {'username': self._username, 'password': self._password}
Example #6
0
class TestChangeUserPassword(TestCase):
    def setUp(self):
        self._password = faker.password()
        self._user = BaseUserFactory()
        self._user.set_password(self._password)
        self._user.is_active = True
        self._user.save()
        self._init_secret_key = self._user.secret_key

    def test_user_cannot_change_password_with_wrong_old_password(self):

        with self.assertRaises(ValidationError):
            change_user_password(user=self._user,
                                 old_password=faker.password(),
                                 new_password=faker.password())

    def test_user_cannot_change_password_with_empty_old_password(self):
        with self.assertRaises(ValidationError):
            change_user_password(user=self._user,
                                 old_password='',
                                 new_password=faker.password())

    def test_user_cannot_change_password_with_empty_new_password(self):
        with self.assertRaises(ValidationError):
            change_user_password(user=self._user,
                                 old_password=self._password,
                                 new_password='')

    def test_user_cannot_change_password_if_account_is_inactive(self):
        self._user.is_active = False
        self._user.save()

        with self.assertRaises(ValidationError):
            change_user_password(user=self._user,
                                 old_password=self._password,
                                 new_password=faker.password())

    def test_user_can_change_password_with_valid_old_and_new_password_when_active(
            self):

        new_password = faker.password()

        change_user_password(
            user=self._user,
            old_password=self._password,
            new_password=new_password,
        )

        self._user.refresh_from_db()

        self.assertNotEqual(self._init_secret_key, self._user.secret_key)
        self.assertTrue(self._user.check_password(new_password))
Example #7
0
class TestLogin(APITestCase):
    def setUp(self):
        self._username = faker.user_name()
        self._password = faker.password()
        self._user = BaseUserFactory(username=self._username)
        self._user.set_password(self._password)
        self._user.is_active = True
        self._user.save()
        self._url_login = reverse('api:auth:login')

    def test_user_login_success(self):
        data = {
            'username': self._username,
            'password': self._password
        }
        res = self.client.post(self._url_login, data=data)
        self.assertEqual(res.status_code, status.HTTP_200_OK)

    def test_user_login_wrong_username(self):
        data = {
            'username': faker.user_name,
            'password': self._password
        }
        res = self.client.post(self._url_login, data=data)
        self.assertEqual(res.status_code, status.HTTP_400_BAD_REQUEST)

    def test_user_login_wrong_password(self):
        data = {
            'username': self._username,
            'password': faker.password()
        }
        res = self.client.post(self._url_login, data=data)
        self.assertEqual(res.status_code, status.HTTP_400_BAD_REQUEST)

    def test_user_login_inactive(self):
        self._user.is_active = False
        self._user.save()

        data = {
            'username': self._username,
            'password': self._password
        }
        res = self.client.post(self._url_login, data=data)
        self.assertEqual(res.status_code, status.HTTP_400_BAD_REQUEST)
    def test_user_can_decode_only_own_tokens(self):
        response1 = self.client.post(self._url_login, data=self._data)

        user = BaseUserFactory()
        user.is_active = True
        password = faker.password()
        user.set_password(password)
        user.save()

        data = {
            'username': user.username,
            'password': password,
        }

        response2 = self.client.post(self._url_login, data=data)

        token_user1 = response1.data['token']
        token_user2 = response2.data['token']

        self.assertNotEqual(token_user1, token_user2)
        self.assertNotEqual(self._user.secret_key, user.secret_key)

        with self.assertRaises(InvalidSignatureError):
            jwt.decode(token_user1, key=str(user.secret_key))

        with self.assertRaises(InvalidSignatureError):
            jwt.decode(token_user2, key=str(self._user.secret_key))

        self.assertEqual(
            self._user.username,
            jwt.decode(token_user1,
                       key=str(self._user.secret_key))['username'])

        self.assertEqual(
            user.username,
            jwt.decode(token_user2, key=str(user.secret_key))['username'])
Example #9
0
class TestLogout(APITestCase):


    def setUp(self):
        self._username = faker.user_name()
        self._password = faker.password()
        self._user = BaseUserFactory(username=self._username)
        self._user.set_password(self._password)
        self._user.is_active = True
        self._user.save()
        self._url_login = reverse('api:auth:login')
        self._url_logout = reverse('api:auth:logout')
        self._data = {
            'username': self._username,
            'password': self._password
        }

    def test_logout_with_valid_token(self):
        res_login = self.client.post(self._url_login, data=self._data)
        token = res_login.data['token']

        self.client.credentials(
            HTTP_AUTHORIZATION='{0:s} {1:s}'.format(api_settings.JWT_AUTH_HEADER_PREFIX, token)
        )
        res_logout = self.client.post(self._url_logout)
        self.assertEqual(res_logout.status_code, status.HTTP_202_ACCEPTED)

    def test_logout_with_invalid_token(self):
        res_login = self.client.post(self._url_login, data=self._data)
        token = res_login.data['token']

        self._user.rotate_secret_key()

        self.client.credentials(
            HTTP_AUTHORIZATION='{0:s} {1:s}'.format(api_settings.JWT_AUTH_HEADER_PREFIX, token)
        )
        res_logout = self.client.post(self._url_logout)
        self.assertEqual(res_logout.status_code, status.HTTP_401_UNAUTHORIZED)
Example #10
0
 def setUp(self):
     self.user = BaseUserFactory()
Example #11
0
class TestChangePassword(APITestCase):
    def setUp(self):
        self._username = faker.user_name()
        self._password = faker.password()
        self._user = BaseUserFactory(username=self._username)
        self._user.set_password(self._password)
        self._user.is_active = True
        self._user.save()
        self._url_login = reverse('api:auth:login')
        self._url_logout = reverse('api:auth:logout')
        self._url_change_password = reverse('api:auth:change-password')
        self._data = {'username': self._username, 'password': self._password}

    @patch('apps.authentication.apis.get_user_data')
    def test_logged_out_user_cannot_change_password(self, mock_object):
        mock_object.return_value = {}
        self._user.is_active = True
        self._user.save()

        # this should perform login
        res_login = self.client.post(self._url_login, data=self._data)
        token = res_login.data['token']

        # perform logout
        self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
            api_settings.JWT_AUTH_HEADER_PREFIX, token))
        self.client.post(self._url_logout)

        data = {
            "old_password": self._password,
            "new_password": faker.password(),
        }

        # this should perform change password
        res_change_pass = self.client.post(self._url_change_password,
                                           data=data)

        self.assertEqual(res_change_pass.status_code, 401)

    @patch('apps.authentication.apis.get_user_data')
    def test_inactive_user_cannot_change_password(self, mock_object):
        mock_object.return_value = {}
        self._user.is_active = True
        self._user.save()

        # this should perform login
        res_login = self.client.post(self._url_login, data=self._data)

        token = res_login.data['token']

        self._user.is_active = False
        self._user.save()

        data = {
            'old_password': self._password,
            'new_password': faker.password(),
        }

        # this should perform change password
        self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
            api_settings.JWT_AUTH_HEADER_PREFIX, token))
        change_password_response = self.client.post(
            self._url_change_password,
            data=data,
        )

        self.assertEqual(change_password_response.status_code, 401)

    @patch('apps.authentication.apis.get_user_data')
    def test_user_cannot_change_password_with_invalid_token(self, mock_object):
        mock_object.return_value = {}
        self._user.is_active = True
        self._user.save()

        # this should perform login
        res_login = self.client.post(self._url_login, data=self._data)

        token = res_login.data['token']

        self._user.rotate_secret_key()

        data = {
            'old_password': self._password,
            'new_password': faker.password(),
        }

        # this should perform change password
        self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
            api_settings.JWT_AUTH_HEADER_PREFIX, token))
        change_password_response = self.client.post(
            self._url_change_password,
            data=data,
        )

        self.assertEqual(change_password_response.status_code, 401)

    @patch('apps.authentication.apis.get_user_data')
    def test_user_cannot_change_password_with_wrong_old_password(
            self, mock_object):
        mock_object.return_value = {}
        self._user.is_active = True
        self._user.save()

        # this should perform login
        res_login = self.client.post(self._url_login, data=self._data)

        token = res_login.data['token']

        data = {
            "old_password": faker.password(),
            "new_password": faker.password(),
        }

        # this should perform change password
        self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
            api_settings.JWT_AUTH_HEADER_PREFIX, token))
        change_password_response = self.client.post(
            self._url_change_password,
            data=data,
        )

        self.assertEqual(change_password_response.status_code, 400)

    @patch('apps.authentication.apis.change_user_password')
    @patch('apps.authentication.apis.get_user_data')
    def test_active_user_can_change_password_with_valid_token(
            self, mock1, mock2):
        mock1.return_value = {}
        self._user.is_active = True
        self._user.save()

        # this should perform login
        login_response = self.client.post(self._url_login, data=self._data)

        token = login_response.data['token']

        data = {
            "old_password": self._password,
            "new_password": faker.password(),
        }

        # this should perform change password
        self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
            api_settings.JWT_AUTH_HEADER_PREFIX, token))
        change_password_response = self.client.post(
            self._url_change_password,
            data=data,
        )

        self.assertTrue(mock2.called)
        self.assertEqual(change_password_response.status_code, 202)
class TestJwtAuthorization(APITestCase):
    def setUp(self):
        self._username = faker.user_name()
        self._password = faker.password()
        self._user = BaseUserFactory(username=self._username)
        self._user.set_password(self._password)
        self._user.is_active = True
        self._user.save()
        self._init_secret_key = self._user.secret_key
        self._url_login = reverse('api:auth:login')
        self._url_logout = reverse('api:auth:logout')
        self._url_user_detail_url = reverse('api:auth:user-detail')
        self._data = {'username': self._username, 'password': self._password}

    def test_user_can_decode_only_own_tokens(self):
        response1 = self.client.post(self._url_login, data=self._data)

        user = BaseUserFactory()
        user.is_active = True
        password = faker.password()
        user.set_password(password)
        user.save()

        data = {
            'username': user.username,
            'password': password,
        }

        response2 = self.client.post(self._url_login, data=data)

        token_user1 = response1.data['token']
        token_user2 = response2.data['token']

        self.assertNotEqual(token_user1, token_user2)
        self.assertNotEqual(self._user.secret_key, user.secret_key)

        with self.assertRaises(InvalidSignatureError):
            jwt.decode(token_user1, key=str(user.secret_key))

        with self.assertRaises(InvalidSignatureError):
            jwt.decode(token_user2, key=str(self._user.secret_key))

        self.assertEqual(
            self._user.username,
            jwt.decode(token_user1,
                       key=str(self._user.secret_key))['username'])

        self.assertEqual(
            user.username,
            jwt.decode(token_user2, key=str(user.secret_key))['username'])

    def test_user_access_denied_without_login(self):
        res = self.client.get(self._url_user_detail_url)
        self.assertEqual(res.status_code, status.HTTP_401_UNAUTHORIZED)

    def test_user_can_access_urls_with_token_only_after_login(self):
        res = self.client.post(self._url_login, data=self._data)

        token = res.data['token']

        self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
            api_settings.JWT_AUTH_HEADER_PREFIX, token))
        res = self.client.get(self._url_user_detail_url)

        self.assertEqual(res.status_code, status.HTTP_200_OK)
        self.assertEqual(res.data['username'], self._user.username)

    def test_user_cannot_use_old_token_after_logout(self):
        res = self.client.post(self._url_login, data=self._data)
        token = res.data['token']

        # performs logout with jwt
        self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
            api_settings.JWT_AUTH_HEADER_PREFIX, token))
        self.client.post(self._url_logout)

        response = self.client.get(self._url_user_detail_url)

        self.assertEqual(response.status_code, 401)

    def test_user_gets_new_user_secret_key_after_logout(self):
        res = self.client.post(self._url_login, data=self._data)
        token = res.data['token']

        # performs logout with jwt
        self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
            api_settings.JWT_AUTH_HEADER_PREFIX, token))
        self.client.post(self._url_logout)

        self._user.refresh_from_db()

        self.assertNotEqual(self._init_secret_key, self._user.secret_key)