def test_reset_password(self, client, db, user):
# Requests password reset
client.post(url_for('auth.forgot_password'),
dict(email=user.email)).follow()
# User has valid UserPasswordToken
valid_token = UserPasswordToken.valid_token(user.id)
assert valid_token
# Invalid user/token combo does not display reset form
res = client.get(url_for('auth.reset_password', userid=user.id, reset="moop"))
assert not res.forms.get('reset-form')
# Valid user/token combo displays reset form
res = client.get(url_for('auth.reset_password', userid=user.id, value=valid_token.value))
assert res.forms.get('reset-form')
# Password is changed on form submit
reset_form = res.forms.get('reset-form')
reset_form['password'] = '******'
reset_form['confirm'] = 'joejoe'
reset_form.submit()
assert user.verify_password('joejoe')
# User has no more valid UserPasswordToken
assert not UserPasswordToken.valid_token(user.id)
# Previous valid token no longer works. Does not display reset form
res = client.get(url_for('auth.reset_password', userid=user.id, value=valid_token.value))
assert not res.forms.get('reset-form')
def test_get_or_create_token(self, user, db):
user_tokens_query = db.session.query(UserPasswordToken).filter_by(user_id=user.id)
# No tokens are present for a newly created user
user_tokens_query.all() == []
# A new token is created when none are present
token = UserPasswordToken.get_or_create_token(user.id)
assert user_tokens_query.all() == [token]
# The same token is returned while it is still valid.
assert UserPasswordToken.get_or_create_token(user.id) == token
assert user_tokens_query.count() == 1
# A new token is created once the old one is used. This new token is the only token for that user.
token.update(used=True)
unused_token = UserPasswordToken.get_or_create_token(user.id)
assert unused_token != token
assert user_tokens_query.count() == 1
# A new token is created once the old one is expired. This new token is the only token for that user.
unused_token.update(expiration_dt=expired_date())
unexpired_token = UserPasswordToken.get_or_create_token(user.id)
assert unexpired_token != token
assert unexpired_token != unused_token
assert user_tokens_query.count() == 1
def test_used_token_is_not_valid(self, user, db):
# Newly generated token is valid
token = UserPasswordToken(user=user).save(db.session)
assert token.invalid is False
# Used token is not valid
token.update(used=True)
assert token.invalid is True
def test_forgot_password(self, client, db, user):
# User has no valid reset tokens initially
assert not UserPasswordToken.valid_token(user.id)
# Go to forgot password page
res = client.get(url_for('auth.forgot_password'), status=200)
# Submits bad email, forgot-form is still displayed
res.forms['forgot-form']['email'] = 'moop'
res = res.forms['forgot-form'].submit()
assert res.forms.get('forgot-form')
# Submits good email, forgot-form is no longer displayed
res.forms['forgot-form']['email'] = user.email
res = res.forms['forgot-form'].submit()
assert not res.forms.get('forgot-form')
# User now has a valid UserPasswordToken
assert UserPasswordToken.valid_token(user.id)
def test_forgot_password(self, client, db, user):
# User has no valid reset tokens initially
assert not UserPasswordToken.valid_token(user.id)
# Go to forgot password page
res = client.get(url_for('auth.forgot_password'), status=200)
# Submits bad email, forgot-form is still displayed
res.forms['forgot-form']['email'] = 'moop'
res = res.forms['forgot-form'].submit()
assert res.forms.get('forgot-form')
# Submits good email, forgot-form is no longer displayed
res.forms['forgot-form']['email'] = user.email
res = res.forms['forgot-form'].submit()
assert not res.forms.get('forgot-form')
# User now has a valid UserPasswordToken
assert UserPasswordToken.valid_token(user.id)
def test_invalid_tokens(self, user, db):
# Invalid tokens
used_token = UserPasswordToken(user=user, used=True).save()
expired_token = UserPasswordToken(user=user, expiration_dt=expired_date()).save()
# Valid token
valid_token = UserPasswordToken(user=user, used=False).save()
# All invalid tokens for a user are captured
invalid_tokens = set(UserPasswordToken.invalid_tokens(user_id=user.id).all())
assert invalid_tokens == set([used_token, expired_token])
def test_expired_token_is_not_valid(self, user, db):
# Newly generated token is valid
token = UserPasswordToken(user=user).save(db.session)
assert token.invalid is False
# Expired token is not valid
token.update(expiration_dt=expired_date())
token.save(db.session)
assert token.invalid is True
def test_reset_password(self, client, db, user):
# Requests password reset
client.post(url_for('auth.forgot_password'),
dict(email=user.email)).follow()
# User has valid UserPasswordToken
valid_token = UserPasswordToken.valid_token(user.id)
assert valid_token
# Invalid user/token combo does not display reset form
res = client.get(
url_for('auth.reset_password', userid=user.id, reset="moop"))
assert not res.forms.get('reset-form')
# Valid user/token combo displays reset form
res = client.get(
url_for('auth.reset_password',
userid=user.id,
value=valid_token.value))
assert res.forms.get('reset-form')
# Password is changed on form submit
reset_form = res.forms.get('reset-form')
reset_form['password'] = '******'
reset_form['confirm'] = 'joejoe'
reset_form.submit()
assert user.verify_password('joejoe')
# User has no more valid UserPasswordToken
assert not UserPasswordToken.valid_token(user.id)
# Previous valid token no longer works. Does not display reset form
res = client.get(
url_for('auth.reset_password',
userid=user.id,
value=valid_token.value))
assert not res.forms.get('reset-form')
def test_unique_expiration_dt(self, user, db):
# Tokens created at different times have different expiration dates
t1 = UserPasswordToken(user=user).save()
t2 = UserPasswordToken(user=user).save()
assert t1.expiration_dt != t2.expiration_dt
def test_token_values_unique(self, user, db):
# Tokens have different values
t1 = UserPasswordToken(user=user).save()
t2 = UserPasswordToken(user=user).save()
assert t1.value != t2.value
def test_valid_token(self, user, db):
# Valid token is found
invalid_token = UserPasswordToken(user=user, used=True).save()
valid_token = UserPasswordToken(user=user).save()
assert UserPasswordToken.valid_token(user.id) == valid_token