def test_login_info(client): # Make sure we can get user info when logged in already. json_authenticate(client) response = client.get( "/login", data={}, headers={"Content-Type": "application/json"} ) assert response.status_code == 200 assert response.jdata["response"]["user"]["id"] == "1" assert "last_update" in response.jdata["response"]["user"]
def test_bc_password(app, client_nc): # Test behavior of BACKWARDS_COMPAT_AUTH_TOKEN_INVALID response = json_authenticate(client_nc, email="*****@*****.**") token = response.json["response"]["user"]["authentication_token"] verify_token(client_nc, token) json_logout(client_nc, token) with capture_reset_password_requests() as requests: response = client_nc.post( "/reset", json=dict(email="*****@*****.**"), headers={"Content-Type": "application/json"}, ) assert response.status_code == 200 reset_token = requests[0]["token"] data = dict(password="******", password_confirm="awesome sunset") response = client_nc.post( "/reset/" + reset_token + "?include_auth_token=1", json=data, headers={"Content-Type": "application/json"}, ) assert response.status_code == 200 assert "authentication_token" in response.json["response"]["user"] # changing password should have rendered existing auth tokens invalid verify_token(client_nc, token, status=401) # but new auth token should work token = response.json["response"]["user"]["authentication_token"] verify_token(client_nc, token)
def test_bc_password(app, client_nc): # Test behavior of BACKWARDS_COMPAT_AUTH_TOKEN_INVALID response = json_authenticate(client_nc) token = response.json["response"]["user"]["authentication_token"] verify_token(client_nc, token) data = dict( password="******", new_password="******", new_password_confirm="new strong password", ) response = client_nc.post( "/change?include_auth_token=1", json=data, headers={"Content-Type": "application/json", "Authentication-Token": token}, ) assert response.status_code == 200 assert "authentication_token" in response.json["response"]["user"] # changing password should have rendered existing auth tokens invalid verify_token(client_nc, token, status=401) # but new auth token should work token = response.json["response"]["user"]["authentication_token"] verify_token(client_nc, token)
def test_sending_auth_token_with_json(client): response = json_authenticate(client) token = response.jdata["response"]["user"]["authentication_token"] data = '{"auth_token": "%s"}' % token response = client.post( "/token", data=data, headers={"Content-Type": "application/json"} ) assert b"Token Authentication" in response.data
def test_sending_auth_token_with_json(client): response = json_authenticate(client) token = response.jdata['response']['user']['authentication_token'] data = '{"auth_token": "%s"}' % token response = client.post('/token', data=data, headers={'Content-Type': 'application/json'}) assert b'Token Authentication' in response.data
def test_sending_auth_token_with_json(client): response = json_authenticate(client) token = response.jdata['response']['user']['authentication_token'] data = '{"auth_token": "%s"}' % token response = client.post( '/token', data=data, headers={ 'Content-Type': 'application/json'}) assert b'Token Authentication' in response.data
def test_change_uniquifier(app, client_nc): # make sure that existing token no longer works once we change the uniquifier response = json_authenticate(client_nc) token = response.json["response"]["user"]["authentication_token"] verify_token(client_nc, token) # now change uniquifier with app.test_request_context("/"): user = app.security.datastore.find_user(email="*****@*****.**") app.security.datastore.reset_user_access(user) app.security.datastore.commit() verify_token(client_nc, token, status=401) # get new token and verify it works response = json_authenticate(client_nc) token = response.json["response"]["user"]["authentication_token"] verify_token(client_nc, token)
def test_token_change(app, client_nc): # Verify can change password using token auth only login_response = json_authenticate(client_nc) token = login_response.json["response"]["user"]["authentication_token"] data = dict( password="******", new_password="******", new_password_confirm="new strong password", ) response = client_nc.post( "/change?include_auth_token=1", json=data, headers={"Content-Type": "application/json", "Authentication-Token": token}, ) assert response.status_code == 200 assert "authentication_token" in response.json["response"]["user"]
def test_authn_freshness_nc(app, client_nc, get_message): # If don't send session cookie - then freshness always fails @auth_required(within=30) def myview(): return Response(status=200) app.add_url_rule("/myview", view_func=myview, methods=["GET"]) response = json_authenticate(client_nc) token = response.json["response"]["user"]["authentication_token"] h = {"Authentication-Token": token} # This should fail - should be a redirect response = client_nc.get("/myview", headers=h, follow_redirects=False) assert response.status_code == 302 assert (response.location == "http://localhost/verify?next=http%3A%2F%2Flocalhost%2Fmyview")
def test_auth_token_speed(app, client_nc): # To run with old algorithm you have to comment out fs_uniquifier check in UserMixin import timeit response = json_authenticate(client_nc) token = response.jdata["response"]["user"]["authentication_token"] def time_get(): rp = client_nc.get( "/login", data={}, headers={"Content-Type": "application/json", "Authentication-Token": token}, ) assert rp.status_code == 200 t = timeit.timeit(time_get, number=50) print("Time for 50 iterations: ", t)
def test_token_query(in_app_context): # Verify that when authenticating with auth token (and not session) # that there is just one DB query to get user. app = in_app_context populate_data(app) client_nc = app.test_client(use_cookies=False) response = json_authenticate(client_nc) token = response.jdata["response"]["user"]["authentication_token"] current_nqueries = get_num_queries(app.security.datastore) response = client_nc.get( "/token", headers={"Content-Type": "application/json", "Authentication-Token": token}, ) assert response.status_code == 200 end_nqueries = get_num_queries(app.security.datastore) assert current_nqueries is None or end_nqueries == (current_nqueries + 1)
def test_inactive_forbids_token(app, client_nc, get_message): """ Make sure that existing token doesn't work after user marked inactive """ response = json_authenticate(client_nc) assert response.status_code == 200 token = response.jdata["response"]["user"]["authentication_token"] headers = {"Authentication-Token": token} # make sure can access restricted page response = client_nc.get("/token", headers=headers) assert b"Token Authentication" in response.data # deactivate matt with app.test_request_context("/"): user = app.security.datastore.find_user(email="*****@*****.**") app.security.datastore.deactivate_user(user) app.security.datastore.commit() response = client_nc.get("/token", content_type="application/json", headers=headers) assert response.status_code == 401
def test_session_query(in_app_context): # Verify that when authenticating with auth token (but also sending session) # that there are 2 DB queries to get user. # This is since the session will load one - but auth_token_required needs to # verify that the TOKEN is valid (and it is possible that the user_id in the # session is different that the one in the token (huh?) app = in_app_context populate_data(app) client = app.test_client() response = json_authenticate(client) token = response.jdata["response"]["user"]["authentication_token"] current_nqueries = get_num_queries(app.security.datastore) response = client.get( "/token", headers={"Content-Type": "application/json", "Authentication-Token": token}, ) assert response.status_code == 200 end_nqueries = get_num_queries(app.security.datastore) assert current_nqueries is None or end_nqueries == (current_nqueries + 2)
def test_invalid_json_auth(client): response = json_authenticate(client, password='******') assert b'"code": 400' in response.data
def test_ok_json_auth(client): response = json_authenticate(client) assert response.jdata['meta']['code'] == 200 assert 'authentication_token' in response.jdata['response']['user']
def test_multi_auth_token(client): response = json_authenticate(client) token = response.jdata['response']['user']['authentication_token'] response = client.get('/multi_auth?auth_token=' + token) assert b'Token' in response.data
def test_token_auth_via_header_valid_token(client): response = json_authenticate(client) token = response.jdata['response']['user']['authentication_token'] headers = {"Authentication-Token": token} response = client.get('/token', headers=headers) assert b'Token Authentication' in response.data
def test_token_auth_via_querystring_valid_token(client): response = json_authenticate(client) token = response.jdata['response']['user']['authentication_token'] response = client.get('/token?auth_token=' + token) assert b'Token Authentication' in response.data
def test_token_auth_via_querystring_valid_token(client): response = json_authenticate(client) token = response.jdata["response"]["user"]["authentication_token"] response = client.get("/token?auth_token=" + token) assert b"Token Authentication" in response.data
def test_multi_auth_token(client): response = json_authenticate(client) token = response.jdata["response"]["user"]["authentication_token"] response = client.get("/multi_auth?auth_token=" + token) assert b"Token" in response.data
def test_token_auth_via_header_valid_token(client): response = json_authenticate(client) token = response.jdata["response"]["user"]["authentication_token"] headers = {"Authentication-Token": token} response = client.get("/token", headers=headers) assert b"Token Authentication" in response.data
def test_ok_json_auth(client): response = json_authenticate(client) assert response.jdata["meta"]["code"] == 200 assert "authentication_token" in response.jdata["response"]["user"]