def post(self, request): serializer = PasswordSendResetSerializer(data=request.data) if serializer.is_valid(): if CustomUser.objects.filter(email=serializer.validated_data.get('email')).exists(): reset = serializer.save() # TODO check if token isn't used tokenbackend = TokenBackend(algorithm='RS256', signing_key=getattr(settings, "RS256_PRIVATE_KEY", None), verifying_key=getattr(settings, "RS256_PUBLIC_KEY", None)) reset = UserResetToken(email=reset.email, expire=datetime.utcnow() + timedelta(0, 3600) + timedelta( 0, 3600) + timedelta(0, 3600), created_on=datetime.utcnow() + timedelta(0, 3600) + timedelta( 0, 3600), used=False ) reset.save() token = tokenbackend.encode( {'user_email': reset.email, 'exp': datetime.utcnow() + timedelta(0, 3600)}) # TODO check if user is active mail_subject = 'Reset your password.' current_site = get_current_site(request) activation_link = "http://{0}/passreset/{1}".format(current_site, token) message = "Hello ,\n click the link below to reset your password.\n {0}".format(activation_link) email = EmailMessage(mail_subject, message, to=[reset.email]) email.send() return Response(serializer.errors, status=status.HTTP_200_OK) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def test_custom_JSONEncoder(self): backend = TokenBackend("HS256", SECRET, json_encoder=UUIDJSONEncoder) unique = uuid.uuid4() self.payload["uuid"] = unique token = backend.encode(self.payload) decoded = backend.decode(token) self.assertEqual(decoded["uuid"], str(unique))
def test_decode_hmac_custom_changed_user(self): token_backend = TokenBackend( 'HS256', get_user_secret_key=lambda a: str(a) + str(randint(0, 1000000000))) payload = { 'exp': make_utc(datetime(year=2000, month=1, day=1)), 'id': '1234' } token = token_backend.encode(payload) with self.assertRaises(TokenBackendError): self.hmac_token_backend.decode(token)
def post(self, request, *args, **kwargs, ): serializer = CustomUserSerializer(data=request.data) if serializer.is_valid(): # userr = CustomUser.objects.filter(email=serializer.email) if CustomUser.objects.filter(email=serializer.validated_data.get('email')).exists(): return Response(status=status.HTTP_406_NOT_ACCEPTABLE) elif CustomUser.objects.filter(username=serializer.validated_data.get('username')).exists(): return Response(status=status.HTTP_406_NOT_ACCEPTABLE) user = serializer.save() tokenbackend = TokenBackend(algorithm='RS256', signing_key=getattr(settings, "RS256_PRIVATE_KEY", None), verifying_key=getattr(settings, "RS256_PUBLIC_KEY", None)) activation = UserActivationToken(user=CustomUser.objects.get(id=user.id), expire=datetime.utcnow() + timedelta(0,3600) + timedelta(0, 3600) + timedelta(0, 3600), created_on=datetime.utcnow() + timedelta(0, 3600) + timedelta( 0, 3600), used=False ) activation.save() token = tokenbackend.encode( {'user_id': user.id, 'exp': datetime.utcnow() + timedelta(0, 3600)}) data = { 'confirmation_token': token } user.is_active = False user.save() mail_subject = 'Activate your account.' current_site = get_current_site(request) activation_link = "http://{0}/activateaccount/{1}".format(current_site, token) message = "Hello {0},\n click the link below to activate your account.\n {1}".format(user.username, activation_link) email = EmailMessage(mail_subject, message, to=[user.email]) email.send() return Response(data, status=status.HTTP_201_CREATED) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
class TestTokenBackend(TestCase): def setUp(self): self.hmac_token_backend = TokenBackend('HS256', SECRET) self.rsa_token_backend = TokenBackend('RS256', PRIVATE_KEY, PUBLIC_KEY) self.payload = {'foo': 'bar'} def test_init(self): # Should reject unknown algorithms with self.assertRaises(TokenBackendError): TokenBackend('oienarst oieanrsto i', 'not_secret') TokenBackend('HS256', 'not_secret') def test_encode_hmac(self): # Should return a JSON web token for the given payload payload = {'exp': make_utc(datetime(year=2000, month=1, day=1))} hmac_token = self.hmac_token_backend.encode(payload) # Token could be one of two depending on header dict ordering self.assertIn( hmac_token, ( 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjk0NjY4NDgwMH0.NHpdD2X8ub4SE_MZLBedWa57FCpntGaN_r6f8kNKdUs', 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjk0NjY4NDgwMH0.jvxQgXCSDToR8uKoRJcMT-LmMJJn2-NM76nfSR2FOgs', ), ) def test_encode_rsa(self): # Should return a JSON web token for the given payload payload = {'exp': make_utc(datetime(year=2000, month=1, day=1))} rsa_token = self.rsa_token_backend.encode(payload) # Token could be one of two depending on header dict ordering self.assertIn( rsa_token, ( 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjk0NjY4NDgwMH0.cuE6ocmdxVHXVrGufzn-_ZbXDV475TPPb5jtSacvJsnR3s3tLIm9yR7MF4vGcCAUGJn2hU_JgSOhs9sxntPPVjdwvC3-sxAwfUQ5AgUCEAF5XC7wTvGhmvufzhAgEG_DNsactCh79P8xRnc0iugtlGNyFp_YK582-ZrlfQEp-7C0L9BNG_JCS2J9DsGR7ojO2xGFkFfzezKRkrVTJMPLwpl0JAiZ0iqbQE-Tex7redCrGI388_mgh52GLsNlSIvW2gQMqCVMYndMuYx32Pd5tuToZmLUQ2PJ9RyAZ4fOMApTzoshItg4lGqtnt9CDYzypHULJZohJIPcxFVZZfHxhw', 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjk0NjY4NDgwMH0.pzHTOaVvKJMMkSqksGh-NdeEvQy8Thre3hBM3smUW5Sohtg77KnHpaUYjq30DyRmYQRmPSjEVprh1Yvic_-OeAXPW8WVsF-r4YdJuxWUpuZbIPwJ9E-cMfTZkDkOl18z1zOdlsLtsP2kXyAlptyy9QQsM7AxoqM6cyXoQ5TI0geWccgoahTy3cBtA6pmjm7H0nfeDGqpqYQBhtaFmRuIWn-_XtdN9C6NVmRCcZwyjH-rP3oEm6wtuKJEN25sVWlZm8YRQ-rj7A7SNqBB5tFK2anM_iv4rmBlIEkmr_f2s_WqMxn2EWUSNeqbqiwabR6CZUyJtKx1cPG0B2PqOTcZsg', ), ) def test_decode_hmac_with_no_expiry(self): no_exp_token = jwt.encode(self.payload, SECRET, algorithm='HS256') self.hmac_token_backend.decode(no_exp_token) def test_decode_hmac_with_no_expiry_no_verify(self): no_exp_token = jwt.encode(self.payload, SECRET, algorithm='HS256') self.assertEqual( self.hmac_token_backend.decode(no_exp_token, verify=False), self.payload, ) def test_decode_hmac_with_expiry(self): self.payload['exp'] = aware_utcnow() - timedelta(seconds=1) expired_token = jwt.encode(self.payload, SECRET, algorithm='HS256') with self.assertRaises(TokenBackendError): self.hmac_token_backend.decode(expired_token) def test_decode_hmac_with_invalid_sig(self): self.payload['exp'] = aware_utcnow() + timedelta(days=1) token_1 = jwt.encode(self.payload, SECRET, algorithm='HS256').decode('utf-8') self.payload['foo'] = 'baz' token_2 = jwt.encode(self.payload, SECRET, algorithm='HS256').decode('utf-8') token_2_payload = token_2.rsplit('.', 1)[0] token_1_sig = token_1.rsplit('.', 1)[-1] invalid_token = token_2_payload + '.' + token_1_sig with self.assertRaises(TokenBackendError): self.hmac_token_backend.decode(invalid_token) def test_decode_hmac_with_invalid_sig_no_verify(self): self.payload['exp'] = aware_utcnow() + timedelta(days=1) token_1 = jwt.encode(self.payload, SECRET, algorithm='HS256').decode('utf-8') self.payload['foo'] = 'baz' token_2 = jwt.encode(self.payload, SECRET, algorithm='HS256').decode('utf-8') token_2_payload = token_2.rsplit('.', 1)[0] token_1_sig = token_1.rsplit('.', 1)[-1] invalid_token = token_2_payload + '.' + token_1_sig self.assertEqual( self.hmac_token_backend.decode(invalid_token, verify=False), self.payload, ) def test_decode_hmac_success(self): self.payload['exp'] = aware_utcnow() + timedelta(days=1) self.payload['foo'] = 'baz' token = jwt.encode(self.payload, SECRET, algorithm='HS256').decode('utf-8') self.assertEqual(self.hmac_token_backend.decode(token), self.payload) def test_decode_rsa_with_no_expiry(self): no_exp_token = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256') self.rsa_token_backend.decode(no_exp_token) def test_decode_rsa_with_no_expiry_no_verify(self): no_exp_token = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256') self.assertEqual( self.hmac_token_backend.decode(no_exp_token, verify=False), self.payload, ) def test_decode_rsa_with_expiry(self): self.payload['exp'] = aware_utcnow() - timedelta(seconds=1) expired_token = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256') with self.assertRaises(TokenBackendError): self.rsa_token_backend.decode(expired_token) def test_decode_rsa_with_invalid_sig(self): self.payload['exp'] = aware_utcnow() + timedelta(days=1) token_1 = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256').decode('utf-8') self.payload['foo'] = 'baz' token_2 = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256').decode('utf-8') token_2_payload = token_2.rsplit('.', 1)[0] token_1_sig = token_1.rsplit('.', 1)[-1] invalid_token = token_2_payload + '.' + token_1_sig with self.assertRaises(TokenBackendError): self.rsa_token_backend.decode(invalid_token) def test_decode_rsa_with_invalid_sig_no_verify(self): self.payload['exp'] = aware_utcnow() + timedelta(days=1) token_1 = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256').decode('utf-8') self.payload['foo'] = 'baz' token_2 = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256').decode('utf-8') token_2_payload = token_2.rsplit('.', 1)[0] token_1_sig = token_1.rsplit('.', 1)[-1] invalid_token = token_2_payload + '.' + token_1_sig self.assertEqual( self.hmac_token_backend.decode(invalid_token, verify=False), self.payload, ) def test_decode_rsa_success(self): self.payload['exp'] = aware_utcnow() + timedelta(days=1) self.payload['foo'] = 'baz' token = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256').decode('utf-8') self.assertEqual(self.rsa_token_backend.decode(token), self.payload)
class TestTokenBackend(TestCase): def setUp(self): self.hmac_token_backend = TokenBackend('HS256', SECRET) self.hmac_leeway_token_backend = TokenBackend('HS256', SECRET, leeway=LEEWAY) self.rsa_token_backend = TokenBackend('RS256', PRIVATE_KEY, PUBLIC_KEY) self.aud_iss_token_backend = TokenBackend('RS256', PRIVATE_KEY, PUBLIC_KEY, AUDIENCE, ISSUER) self.payload = {'foo': 'bar'} def test_init(self): # Should reject unknown algorithms with self.assertRaises(TokenBackendError): TokenBackend('oienarst oieanrsto i', 'not_secret') TokenBackend('HS256', 'not_secret') @patch.object(algorithms, 'has_crypto', new=False) def test_init_fails_for_rs_algorithms_when_crypto_not_installed(self): with self.assertRaisesRegex(TokenBackendError, 'You must have cryptography installed to use RS256.'): TokenBackend('RS256', 'not_secret') with self.assertRaisesRegex(TokenBackendError, 'You must have cryptography installed to use RS384.'): TokenBackend('RS384', 'not_secret') with self.assertRaisesRegex(TokenBackendError, 'You must have cryptography installed to use RS512.'): TokenBackend('RS512', 'not_secret') def test_encode_hmac(self): # Should return a JSON web token for the given payload payload = {'exp': make_utc(datetime(year=2000, month=1, day=1))} hmac_token = self.hmac_token_backend.encode(payload) # Token could be one of two depending on header dict ordering self.assertIn( hmac_token, ( 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjk0NjY4NDgwMH0.NHpdD2X8ub4SE_MZLBedWa57FCpntGaN_r6f8kNKdUs', 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjk0NjY4NDgwMH0.jvxQgXCSDToR8uKoRJcMT-LmMJJn2-NM76nfSR2FOgs', ), ) def test_encode_rsa(self): # Should return a JSON web token for the given payload payload = {'exp': make_utc(datetime(year=2000, month=1, day=1))} rsa_token = self.rsa_token_backend.encode(payload) # Token could be one of two depending on header dict ordering self.assertIn( rsa_token, ( 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjk0NjY4NDgwMH0.cuE6ocmdxVHXVrGufzn-_ZbXDV475TPPb5jtSacvJsnR3s3tLIm9yR7MF4vGcCAUGJn2hU_JgSOhs9sxntPPVjdwvC3-sxAwfUQ5AgUCEAF5XC7wTvGhmvufzhAgEG_DNsactCh79P8xRnc0iugtlGNyFp_YK582-ZrlfQEp-7C0L9BNG_JCS2J9DsGR7ojO2xGFkFfzezKRkrVTJMPLwpl0JAiZ0iqbQE-Tex7redCrGI388_mgh52GLsNlSIvW2gQMqCVMYndMuYx32Pd5tuToZmLUQ2PJ9RyAZ4fOMApTzoshItg4lGqtnt9CDYzypHULJZohJIPcxFVZZfHxhw', 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjk0NjY4NDgwMH0.pzHTOaVvKJMMkSqksGh-NdeEvQy8Thre3hBM3smUW5Sohtg77KnHpaUYjq30DyRmYQRmPSjEVprh1Yvic_-OeAXPW8WVsF-r4YdJuxWUpuZbIPwJ9E-cMfTZkDkOl18z1zOdlsLtsP2kXyAlptyy9QQsM7AxoqM6cyXoQ5TI0geWccgoahTy3cBtA6pmjm7H0nfeDGqpqYQBhtaFmRuIWn-_XtdN9C6NVmRCcZwyjH-rP3oEm6wtuKJEN25sVWlZm8YRQ-rj7A7SNqBB5tFK2anM_iv4rmBlIEkmr_f2s_WqMxn2EWUSNeqbqiwabR6CZUyJtKx1cPG0B2PqOTcZsg', ), ) def test_encode_aud_iss(self): # Should return a JSON web token for the given payload original_payload = {'exp': make_utc(datetime(year=2000, month=1, day=1))} payload = original_payload.copy() rsa_token = self.aud_iss_token_backend.encode(payload) # Assert that payload has not been mutated by the encode() function self.assertEqual(payload, original_payload) # Token could be one of 12 depending on header dict ordering self.assertIn( rsa_token, ( 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjk0NjY4NDgwMCwiYXVkIjoib3BlbmlkLWNsaWVudC1pZCIsImlzcyI6Imh0dHBzOi8vd3d3Lm15b2lkY3Byb3ZpZGVyLmNvbSJ9.kSz7KyUZgpKaeQHYSQlhsE-UFLG2zhBiJ2MFCIvhstA4lSIKj3U1fdP1OhEDg7X66EquRRIZrby6M7RncqCdsjRwKrEIaL74KgC4s5PDXa_HC6dtpi2GhXqaLz8YxfCPaNGZ_9q9rs4Z4O6WpwBLNmMQrTxNno9p0uT93Z2yKj5hGih8a9C_CSf_rKtsHW9AJShWGoKpR6qQFKVNP1GAwQOQ6IeEvZenq_LSEywnrfiWp4Y5UF7xi42wWx7_YPQtM9_Bp5sB-DbrKg_8t0zSc-OHeVDgH0TKqygGEea09W0QkmJcROkaEbxt2LxJg9OuSdXgudVytV8ewpgNtWNE4g', 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjk0NjY4NDgwMCwiaXNzIjoiaHR0cHM6Ly93d3cubXlvaWRjcHJvdmlkZXIuY29tIiwiYXVkIjoib3BlbmlkLWNsaWVudC1pZCJ9.l-sJR5VKGKNrEn5W8sfO4tEpPq4oQ-Fm5ttQyqUkF6FRJHmCfS1TZIUSXieDLHmarnb4hdIGLr5y-EAbykiqYaTn8d25oT2_zIPlCYHt0DxxeuOliGad5l3AXbWee0qPoZL7YCV8FaSdv2EjtMDOEiJBG5yTkaqZlRmSkbfqu1_y2DRErv3X5LpfEHuKoum4jv5YpoCS6wAWDaWJ9cXMPQaGc4gXg4cuSQxb_EjiQ3QYyztHhG37gOu1J-r_rudaiiIk_VZQdYNfCcirp8isS0z2dcNij_0bELp_oOaipsF7uwzc6WfNGR7xP50X1a_K6EBZzVs0eXFxvl9b3C_d8A', 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJvcGVuaWQtY2xpZW50LWlkIiwiZXhwIjo5NDY2ODQ4MDAsImlzcyI6Imh0dHBzOi8vd3d3Lm15b2lkY3Byb3ZpZGVyLmNvbSJ9.aTwQEIxSzhI5fN4ffQMzZ6h61Ur-Gzh_gPkgOyyWvMX890Z18tC2RisEjXeL5xDGKe2XiEAVtuJa9CjXB9eJoCxNN1k05C-ph82cco-0m_TbMbs0d1MFnfC9ESr4JKynP_Klxi8bi0iZMazduT15pH4UhRkEGsnp8rOKtlt_8_8UOGBJAzG34161lM4JbZqrZDit1DvQdGxaC0lmMgosKg3NDMECfkPe3pGLJ5F_su5yhQk0xyKNCjYyE2FNlilWoDV2KkGiCWdsFOgRMAJwHZ-cdgPg8Vyh2WthBNblsbRVfDrGtfPX0VuW5B0RhBhvI5Iut34P9kkxKRFo3NaiEg', 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJvcGVuaWQtY2xpZW50LWlkIiwiaXNzIjoiaHR0cHM6Ly93d3cubXlvaWRjcHJvdmlkZXIuY29tIiwiZXhwIjo5NDY2ODQ4MDB9.w46s7u28LgsnmK6K_5O15q1SFkKeRgkkplFLi5idq1z7qJjXUi45qpXIyQw3W8a0k1fwa22WB_0XC1MTo22OK3Z0aGNCI2ZCBxvZGOAc1WcCUae44a9LckPHp80q0Hs03NvjsuRVLGXRwDVHrYxuGnFxQSEMbZ650-MQkfVFIXVzMOOAn5Yl4ntjigLcw8iPEqJPnDLdFUSnObZjRzK1M6mJf0-125pqcFsCJaa49rjdbTtnN-VuGnKmv9wV1GwevRQPWjx2vinETURVO9IyZCDtdaLJkvL7Z5IpToK5jrZPc1UWAR0VR8WeWfussFoHzJF86LxVxnqIeXnqOhq5SQ', 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3d3dy5teW9pZGNwcm92aWRlci5jb20iLCJhdWQiOiJvcGVuaWQtY2xpZW50LWlkIiwiZXhwIjo5NDY2ODQ4MDB9.Np_SJYye14vz0cvALvfYNqZXvXMD_gY6kIaxA458kbeu6veC_Ds45uWgjJFhTSYFAFWd3TB6M7qZbWgiO0ycION2-B9Yfgaf82WzNtPfgDhu51w1cbLnvuOSRvgX69Q6Z2i1SByewKaSDw25BaMv9Ty4DBdoCbG62qELnNKjDSQvuHlz8cRJv2I6xJBeOYgZV-YN8Zmxsles44a57Vvcj-DjVouHj5m4LperIxb9islNUQBPRTbvw1d_tR8O8ny0mQqbsWL7e2J-wfwdduVf1kVCPePkhHMM6GLhPIrSoTgMzZuRYLBJ61yphuDK98zTknNBM-Jtn5cMyBwP9JBJvA', 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3d3dy5teW9pZGNwcm92aWRlci5jb20iLCJleHAiOjk0NjY4NDgwMCwiYXVkIjoib3BlbmlkLWNsaWVudC1pZCJ9.KJcWZtEluPrkRbYj2i_QmdWpZqGZt63Q8nO4QAJ4B4418ZfmgB6A54_vUmWd3Xc18DYgReLoNPlaOuRXtR7rzlMk0-ADjV0bsca5NwTNAV2F-gR9Xsr9iFlcPMNAYf4CAs85gg7deMIxlbGTAaoft__58ah2_vdd8o_nem1PdzsPC198AYtcwnIV206qpeCNR8S_ZTU46OaHwCoySVRx9E7tNG13YSCmGvBaEqgQHKH82qLXo0KivFrjGmGP0xePFG1B8HCZl-LH1euXGGCp6S48q-tmepX5GJwvzaZNBam4pfxQ0GIHa7z11e7sEN-196iDPCK8NzDcXFwHOAnyaA', 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjk0NjY4NDgwMCwiYXVkIjoib3BlbmlkLWNsaWVudC1pZCIsImlzcyI6Imh0dHBzOi8vd3d3Lm15b2lkY3Byb3ZpZGVyLmNvbSJ9.MfhVcFN-9Rd0j11CLtxopzREKdyJH1loSpD4ibjP6Aco4-iM5C99B6gliPgOldtuevhneXV2I7NGhmZFULaYhulcLrAgKe3Gj_TK-sHvwb62e14ArugmK_FAhN7UqbX8hU9wP42LaWXqA7ps4kkJSx-sfgHqMzCKewlAZWwyZBoFgWEgoheKZ7ILkSGf0jzBZlS_1R0jFRSrlYD9rI1S4Px-HllS0t32wRCSbzkp6aVMRs46S0ePrN1mK3spsuQXtYhE2913ZC7p2KwyTGfC2FOOeJdRJknh6kI3Z7pTcsjN2jnQN3o8vPEkN3wl7MbAgAsHcUV45pvyxn4SNBmTMQ', 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjk0NjY4NDgwMCwiaXNzIjoiaHR0cHM6Ly93d3cubXlvaWRjcHJvdmlkZXIuY29tIiwiYXVkIjoib3BlbmlkLWNsaWVudC1pZCJ9.3NjgS14SGFyJ6cix2XJZFPlcyeSu4LSduEMUIH0grJuCljbhalyoib5s4JnBaK4slKrQv1WHlhnKB737hX1FF7_EwQM3toCf--DBjrIuq5cYK3rzcn71JDe_op3CvClwpVyxd2vQZtQfP_tWqN6cNTuWF8ZQ0rJGug6Zb-NeE5h68YK_9tXLZC_i5anyjjAVONOc3Nd-TeIUBaLQKQXOddw0gcTcA7vg3uS0gXTEDq-_ZkF-v9bn1ua4_lgRPbuaYvrBFbXSCEdvNORPfPz4zfL3XU09q0gmnmXC9nxjUFVX4BjkP_YiCCO42sqUKY4y7STTB_IkK_04e2wntonVZA', 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL3d3dy5teW9pZGNwcm92aWRlci5jb20iLCJleHAiOjk0NjY4NDgwMCwiYXVkIjoib3BlbmlkLWNsaWVudC1pZCJ9.b4pdohov81oqzLyCIp4y7e4VYz7LSez7bH0t1o0Zwzau1uXPYXcasT9lxxNMEEiZwHIovPLyWQ6XvF0bMWTk9vc4PyIpkLqsLBJPsuQ-wYUOD04fECmqUX_JaINqm2pPbohTcOQwl0xsE1UMIKTFBZDL1hEXGEMdW9lrPcXilhbC1ikyMpzsmVh55Q_wL2GqydssnOOcDQTqEkWoKvELJJhBcE-YuQkUp8jEVhF3VZ4jEZkzCErTlyXcfe1qXZHkWtw2QNo9s_SfLuRy_fACOo8XE9pHBoE7rqiSm-FmISgiLO1Jj3Pqq-abjN4SnAbU7PZWcV3fUoO1eYLGORmAcw', 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL3d3dy5teW9pZGNwcm92aWRlci5jb20iLCJhdWQiOiJvcGVuaWQtY2xpZW50LWlkIiwiZXhwIjo5NDY2ODQ4MDB9.yDGMBeee4hj8yDtEvVtIsS4tnkPjDMQADTkNh74wtb3oYPgQNqMRWKngXiwjvW2FmnsCUue2cFzLgTbpqlDq0QKcBP0i_UwBiXk9m2wLo0WRFtgw2zNHYSsowu26sFoEjKLgpPZzKrPlU4pnxqa8u3yqg8vIcSTlpX8t3uDqNqhUKP6x-w6wb25h67XDmnORiMwhaOZE_Gs9-H6uWnKdguTIlU1Tj4CjUEnZgZN7dJORiDnO_vHiAyL5yvRjhp5YK0Pq-TtCj5kWoJsjQiKc4laIcgofAKoq_b62Psns8MhxzAxwM7i0rbQZXXYB0VKMUho88uHlpbSWCZxu415lWw', 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJvcGVuaWQtY2xpZW50LWlkIiwiaXNzIjoiaHR0cHM6Ly93d3cubXlvaWRjcHJvdmlkZXIuY29tIiwiZXhwIjo5NDY2ODQ4MDB9.BHSCjFeXS6B7KFJi1LpQMEd3ib4Bp9FY3WcB-v7dtP3Ay0SxQZz_gxIbi-tYiNCBQIlfKcfq6vELOjE1WJ5zxPDQM8uV0Pjl41hqYBu3qFv4649a-o2Cd-MaSPUSUogPxzTh2Bk4IdM3sG1Zbd_At4DR_DQwWJDuChA8duA5yG2XPkZr0YF1ZJ326O_jEowvCJiZpzOpH9QsLVPbiX49jtWTwqQGhvpKEj3ztTLFo8VHO-p8bhOGEph2F73F6-GB0XqiWk2Dm1yKAunJCMsM4qXooWfaX6gj-WFhPI9kEXNFfGmPal5i1gb17YoeinbdV2kjN42oxast2Iaa3CMldw', 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJvcGVuaWQtY2xpZW50LWlkIiwiZXhwIjo5NDY2ODQ4MDAsImlzcyI6Imh0dHBzOi8vd3d3Lm15b2lkY3Byb3ZpZGVyLmNvbSJ9.s6sElpfKL8WHWfbD_Kbwiy_ip4O082V8ElZqwugvDpS-7yQ3FTvQ3WXqtVAJc-fBZe4ZsBnrXUWwZV0Nhoe6iWKjEjTPjonQWbWL_WUJmIC2HVz18AOISnqReV2rcuLSHQ2ckhsyktlE9K1Rfj-Hi6f3HzzzePEgTsL2ZdBH6GrcmJVDFKqLLrkvOHShoPp7rcwuFBr0J_S1oqYac5O0B-u0OVnxBXTwij0ThrTGMgVCp2rn6Hk0NvtF6CE49Eu4XP8Ue-APT8l5_SjqX9GcrjkJp8Gif_oyBheL-zRg_v-cU60X6qY9wVolO8WodVPSnlE02XyYhLVxvfK-w5129A', ), ) def test_decode_hmac_with_no_expiry(self): no_exp_token = jwt.encode(self.payload, SECRET, algorithm='HS256') self.hmac_token_backend.decode(no_exp_token) def test_decode_hmac_with_no_expiry_no_verify(self): no_exp_token = jwt.encode(self.payload, SECRET, algorithm='HS256') self.assertEqual( self.hmac_token_backend.decode(no_exp_token, verify=False), self.payload, ) def test_decode_hmac_with_expiry(self): self.payload['exp'] = aware_utcnow() - timedelta(seconds=1) expired_token = jwt.encode(self.payload, SECRET, algorithm='HS256') with self.assertRaises(TokenBackendError): self.hmac_token_backend.decode(expired_token) def test_decode_hmac_with_invalid_sig(self): self.payload['exp'] = aware_utcnow() + timedelta(days=1) token_1 = jwt.encode(self.payload, SECRET, algorithm='HS256') self.payload['foo'] = 'baz' token_2 = jwt.encode(self.payload, SECRET, algorithm='HS256') token_2_payload = token_2.rsplit('.', 1)[0] token_1_sig = token_1.rsplit('.', 1)[-1] invalid_token = token_2_payload + '.' + token_1_sig with self.assertRaises(TokenBackendError): self.hmac_token_backend.decode(invalid_token) def test_decode_hmac_with_invalid_sig_no_verify(self): self.payload['exp'] = aware_utcnow() + timedelta(days=1) token_1 = jwt.encode(self.payload, SECRET, algorithm='HS256') self.payload['foo'] = 'baz' token_2 = jwt.encode(self.payload, SECRET, algorithm='HS256') # Payload copied self.payload["exp"] = datetime_to_epoch(self.payload["exp"]) token_2_payload = token_2.rsplit('.', 1)[0] token_1_sig = token_1.rsplit('.', 1)[-1] invalid_token = token_2_payload + '.' + token_1_sig self.assertEqual( self.hmac_token_backend.decode(invalid_token, verify=False), self.payload, ) def test_decode_hmac_success(self): self.payload['exp'] = aware_utcnow() + timedelta(days=1) self.payload['foo'] = 'baz' token = jwt.encode(self.payload, SECRET, algorithm='HS256') # Payload copied self.payload["exp"] = datetime_to_epoch(self.payload["exp"]) self.assertEqual(self.hmac_token_backend.decode(token), self.payload) def test_decode_rsa_with_no_expiry(self): no_exp_token = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256') self.rsa_token_backend.decode(no_exp_token) def test_decode_rsa_with_no_expiry_no_verify(self): no_exp_token = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256') self.assertEqual( self.hmac_token_backend.decode(no_exp_token, verify=False), self.payload, ) def test_decode_rsa_with_expiry(self): self.payload['exp'] = aware_utcnow() - timedelta(seconds=1) expired_token = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256') with self.assertRaises(TokenBackendError): self.rsa_token_backend.decode(expired_token) def test_decode_rsa_with_invalid_sig(self): self.payload['exp'] = aware_utcnow() + timedelta(days=1) token_1 = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256') self.payload['foo'] = 'baz' token_2 = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256') token_2_payload = token_2.rsplit('.', 1)[0] token_1_sig = token_1.rsplit('.', 1)[-1] invalid_token = token_2_payload + '.' + token_1_sig with self.assertRaises(TokenBackendError): self.rsa_token_backend.decode(invalid_token) def test_decode_rsa_with_invalid_sig_no_verify(self): self.payload['exp'] = aware_utcnow() + timedelta(days=1) token_1 = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256') self.payload['foo'] = 'baz' token_2 = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256') token_2_payload = token_2.rsplit('.', 1)[0] token_1_sig = token_1.rsplit('.', 1)[-1] invalid_token = token_2_payload + '.' + token_1_sig # Payload copied self.payload["exp"] = datetime_to_epoch(self.payload["exp"]) self.assertEqual( self.hmac_token_backend.decode(invalid_token, verify=False), self.payload, ) def test_decode_rsa_success(self): self.payload['exp'] = aware_utcnow() + timedelta(days=1) self.payload['foo'] = 'baz' token = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256') # Payload copied self.payload["exp"] = datetime_to_epoch(self.payload["exp"]) self.assertEqual(self.rsa_token_backend.decode(token), self.payload) def test_decode_aud_iss_success(self): self.payload['exp'] = aware_utcnow() + timedelta(days=1) self.payload['foo'] = 'baz' self.payload['aud'] = AUDIENCE self.payload['iss'] = ISSUER token = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256') # Payload copied self.payload["exp"] = datetime_to_epoch(self.payload["exp"]) self.assertEqual(self.aud_iss_token_backend.decode(token), self.payload) def test_decode_rsa_aud_iss_jwk_success(self): self.payload["exp"] = aware_utcnow() + timedelta(days=1) self.payload["foo"] = "baz" self.payload["aud"] = AUDIENCE self.payload["iss"] = ISSUER token = jwt.encode( self.payload, PRIVATE_KEY_2, algorithm="RS256", headers={"kid": "230498151c214b788dd97f22b85410a5"}, ) # Payload copied self.payload["exp"] = datetime_to_epoch(self.payload["exp"]) mock_jwk_module = mock.MagicMock() with patch("rest_framework_simplejwt.backends.PyJWKClient") as mock_jwk_module: mock_jwk_client = mock.MagicMock() mock_signing_key = mock.MagicMock() mock_jwk_module.return_value = mock_jwk_client mock_jwk_client.get_signing_key_from_jwt.return_value = mock_signing_key type(mock_signing_key).key = mock.PropertyMock(return_value=PUBLIC_KEY_2) # Note the PRIV,PUB care is intentially the original pairing jwk_token_backend = TokenBackend( "RS256", PRIVATE_KEY, PUBLIC_KEY, AUDIENCE, ISSUER, JWK_URL ) self.assertEqual(jwk_token_backend.decode(token), self.payload) def test_decode_when_algorithm_not_available(self): token = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256') pyjwt_without_rsa = PyJWS() pyjwt_without_rsa.unregister_algorithm('RS256') def _decode(jwt, key, algorithms, options, audience, issuer, leeway): return pyjwt_without_rsa.decode(jwt, key, algorithms, options) with patch.object(jwt, 'decode', new=_decode): with self.assertRaisesRegex(TokenBackendError, 'Invalid algorithm specified'): self.rsa_token_backend.decode(token) def test_decode_when_token_algorithm_does_not_match(self): token = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256') with self.assertRaisesRegex(TokenBackendError, 'Invalid algorithm specified'): self.hmac_token_backend.decode(token) def test_decode_leeway_hmac_fail(self): self.payload["exp"] = datetime_to_epoch(aware_utcnow() - timedelta(seconds=LEEWAY * 2)) expired_token = jwt.encode(self.payload, SECRET, algorithm='HS256') with self.assertRaises(TokenBackendError): self.hmac_leeway_token_backend.decode(expired_token) def test_decode_leeway_hmac_success(self): self.payload["exp"] = datetime_to_epoch(aware_utcnow() - timedelta(seconds=LEEWAY / 2)) expired_token = jwt.encode(self.payload, SECRET, algorithm='HS256') self.assertEqual( self.hmac_leeway_token_backend.decode(expired_token), self.payload, )