def test_slop(self): key = os.urandom(20) device = TOTPDevice(key=key) now = timezone.now() self.assertTrue(device.validate_token(oath.totp(key, now - datetime.timedelta(seconds=30)))) self.assertTrue(device.validate_token(oath.totp(key, now))) self.assertTrue(device.validate_token(oath.totp(key, now + datetime.timedelta(seconds=30))))
def test_incorrect_code(self): key = self.enable_totp() r = self.login() r = self.client.post(r['location'], { 'token': oath.totp(key, timezone.now() + datetime.timedelta(seconds=120)), 'type': 'totp', }) self.assertNotIn(SESSION_KEY, self.client.session) self.assertContains(r, TOTPForm.INVALID_ERROR_MESSAGE)
def test_login(self): key = self.enable_totp() r = self.login() self.assertNotIn(SESSION_KEY, self.client.session) self.assertIn(reverse('u2f:verify-second-factor'), r['location']) r = self.client.post(r['location'], { 'token': oath.totp(key, timezone.now()), 'type': 'totp', }) self.assertEqual(str(self.client.session[SESSION_KEY]), str(self.user.id)) self.assertTrue(r['location'].endswith('/next/'))
def test_add_device_incorrect_token(self): self.login() url = reverse('u2f:add-totp') r = self.client.get(url) base32_key = self._extract_key(r) key = b32decode(base32_key) r = self.client.post(url, { 'base32_key': base32_key, 'token': oath.totp(key, timezone.now() + datetime.timedelta(seconds=120)), }) self.assertEqual(r.status_code, 200) self.assertContains(r, TOTPForm.INVALID_ERROR_MESSAGE)
def test_add_device(self): self.login() url = reverse('u2f:add-totp') r = self.client.get(url) self.assertContains(r, 'svg') base32_key = self._extract_key(r) key = b32decode(base32_key) r = self.client.post(url, { 'base32_key': base32_key, 'token': oath.totp(key, timezone.now()), }) self.assertEqual(r.status_code, 302) self.assertTrue(self.user.totp_devices.filter(key=key).exists())
def test_token_cant_be_used_twice(self): key = self.enable_totp() r = self.login() token = oath.totp(key, timezone.now()), r = self.client.post(r['location'], { 'token': token, 'type': 'totp', }) self.assertEqual(str(self.client.session[SESSION_KEY]), str(self.user.id)) self.client.logout() r = self.login() r = self.client.post(r['location'], { 'token': token, 'type': 'totp', }) self.assertContains(r, TOTPForm.INVALID_ERROR_MESSAGE)