def test_replay_attacks_do_not_succeed(self):
browser = Browser(mech_browser=MyMechanizeBrowser())
browser.open('%s/+login' % self.layer.appserver_root_url())
# On a JS-enabled browser this page would've been auto-submitted
# (thanks to the onload handler), but here we have to do it manually.
self.assertIn('body onload', browser.contents)
browser.getControl('Continue').click()
self.assertEquals('Login', browser.title)
fill_login_form_and_submit(browser, '*****@*****.**')
login_status = extract_text(
find_tag_by_id(browser.contents, 'logincontrol'))
self.assertIn('Sample Person (name12)', login_status)
# Now we look up (in urls_redirected_to) the +openid-callback URL that
# was used to complete the authentication and open it on a different
# browser with a fresh set of cookies.
replay_browser = Browser()
[callback_url] = [
url for url in urls_redirected_to if '+openid-callback' in url]
self.assertIsNot(None, callback_url)
replay_browser.open(callback_url)
login_status = extract_text(
find_tag_by_id(replay_browser.contents, 'logincontrol'))
self.assertEquals('Log in / Register', login_status)
error_msg = find_tags_by_class(replay_browser.contents, 'error')[0]
self.assertEquals('Nonce already used or out of range',
extract_text(error_msg))
def test_realm_for_mainsite(self):
browser = Browser()
browser.open('%s/+login' % self.layer.appserver_root_url())
# At this point browser.contents contains a hidden form which would've
# been auto-submitted if we had in-browser JS support, but since we
# don't we can easily inspect what's in the form.
self.assertEquals('%s/' % browser.rooturl,
browser.getControl(name='openid.realm').value)
