def test_reset_numeric_password(self):
old_password = '******'
new_password = '******'
user = self.create_test_user(password=old_password)
signer = ResetPasswordSigner({'user_id': user.pk})
data = signer.get_signed_data()
data['password'] = new_password
request = self.factory.post('', data)
response = reset_password(request)
self.assert_response_is_bad_request(response)
user.refresh_from_db()
self.assertTrue(user.check_password(old_password))
def test_reset_short_password(self):
old_password = '******'
new_password = '******'
user = self.create_test_user(password=old_password)
signer = ResetPasswordSigner({'user_id': user.pk})
data = signer.get_signed_data()
data['password'] = new_password
request = self.create_post_request(data)
response = self.view_func(request)
self.assert_response_is_bad_request(response)
user.refresh_from_db()
self.assertTrue(user.check_password(old_password))
def test_reset_with_username_as_verification_id_ok(self):
old_password = '******'
new_password = '******'
user = self.create_test_user(password=old_password)
signer = ResetPasswordSigner({'user_id': user.username})
data = signer.get_signed_data()
data['password'] = new_password
request = self.create_post_request(data)
response = self.view_func(request)
self.assert_response_is_ok(response)
user.refresh_from_db()
self.assertTrue(user.check_password(new_password))
def test_reset_unverified_user(self):
old_password = '******'
new_password = '******'
user = self.create_test_user(password=old_password, is_active=False)
signer = ResetPasswordSigner({'user_id': user.pk})
data = signer.get_signed_data()
data['password'] = new_password
request = self.create_post_request(data)
response = self.view_func(request)
self.assert_response_is_ok(response)
user.refresh_from_db()
self.assertTrue(user.check_password(new_password))
def test_ok(self):
old_password = '******'
new_password = '******'
user = self.create_test_user(password=old_password)
signer = ResetPasswordSigner({'user_id': user.pk})
data = signer.get_signed_data()
data['password'] = new_password
response = self.client.post(self.view_url, data=data)
self.assertEqual(response.status_code, 302)
self.assertEqual(response.url, SUCCESS_URL)
user.refresh_from_db()
self.assertTrue(user.check_password(new_password))
def test_reset_tampered_timestamp(self):
old_password = '******'
new_password = '******'
user = self.create_test_user(password=old_password)
signer = ResetPasswordSigner({'user_id': user.pk})
data = signer.get_signed_data()
data['timestamp'] += 1
data['password'] = new_password
request = self.factory.post('', data)
response = reset_password(request)
self.assert_invalid_response(response, status.HTTP_400_BAD_REQUEST)
user.refresh_from_db()
self.assertTrue(user.check_password(old_password))
def test_reset_password_same_as_username(self):
username = '******'
old_password = '******'
new_password = username
user = self.create_test_user(username=username, password=old_password)
signer = ResetPasswordSigner({'user_id': user.pk})
data = signer.get_signed_data()
data['password'] = new_password
request = self.factory.post('', data)
response = reset_password(request)
self.assert_response_is_bad_request(response)
user.refresh_from_db()
self.assertTrue(user.check_password(old_password))
def test_when_confirm_enabled_and_no_password_confirm_field_then_reset_password_fails( # noqa: E501
settings_with_reset_password_verification, user, password_change,
api_view_provider, api_factory):
old_password = password_change.old_value
new_password = password_change.new_value
signer = ResetPasswordSigner({'user_id': user.pk})
data = signer.get_signed_data()
data['password'] = new_password
request = api_factory.create_post_request(data)
response = api_view_provider.view_func(request)
assert_response_is_bad_request(response)
user.refresh_from_db()
assert user.check_password(old_password)
def test_reset_expired(self):
timestamp = int(time.time())
old_password = '******'
new_password = '******'
user = self.create_test_user(password=old_password)
with patch('time.time', side_effect=lambda: timestamp):
signer = ResetPasswordSigner({'user_id': user.pk})
data = signer.get_signed_data()
data['password'] = new_password
request = self.factory.post('', data)
with patch('time.time', side_effect=lambda: timestamp + 3600 * 24 * 8):
response = reset_password(request)
self.assert_invalid_response(response, status.HTTP_400_BAD_REQUEST)
user.refresh_from_db()
self.assertTrue(user.check_password(old_password))
def test_signer_with_different_secret_keys(self):
user = self.create_test_user(is_active=False)
data_to_sign = {'user_id': user.pk}
secrets = [
'#0ka!t#6%28imjz+2t%l(()yu)tg93-1w%$du0*po)*@l+@+4h',
'feb7tjud7m=91$^mrk8dq&nz(0^!6+1xk)%gum#oe%(n)8jic7',
]
signatures = []
for secret in secrets:
with override_settings(SECRET_KEY=secret):
signer = ResetPasswordSigner(data_to_sign)
data = signer.get_signed_data()
signatures.append(data[signer.SIGNATURE_FIELD])
assert signatures[0] != signatures[1]
def test_one_time_reset_twice_fail(self):
old_password = '******'
new_first_password = '******'
new_second_password = '******'
user = self.create_test_user(password=old_password)
signer = ResetPasswordSigner({'user_id': user.pk})
data = signer.get_signed_data()
data['password'] = new_first_password
request = self.create_post_request(data)
response = self.view_func(request)
self.assert_response_is_ok(response)
user.refresh_from_db()
self.assertTrue(user.check_password(new_first_password))
data['password'] = new_second_password
request = self.create_post_request(data)
response = self.view_func(request)
self.assert_response_is_bad_request(response)
user.refresh_from_db()
self.assertTrue(user.check_password(new_first_password))
def user_signed_data(user):
user_reset_password_signer = ResetPasswordSigner({'user_id': user.pk})
return user_reset_password_signer.get_signed_data()