def test_login_info(client):
# Make sure we can get user info when logged in already.
json_authenticate(client)
response = client.get(
"/login", data={}, headers={"Content-Type": "application/json"}
)
assert response.status_code == 200
assert response.jdata["response"]["user"]["id"] == "1"
assert "last_update" in response.jdata["response"]["user"]
def test_bc_password(app, client_nc):
# Test behavior of BACKWARDS_COMPAT_AUTH_TOKEN_INVALID
response = json_authenticate(client_nc, email="*****@*****.**")
token = response.json["response"]["user"]["authentication_token"]
verify_token(client_nc, token)
json_logout(client_nc, token)
with capture_reset_password_requests() as requests:
response = client_nc.post(
"/reset",
json=dict(email="*****@*****.**"),
headers={"Content-Type": "application/json"},
)
assert response.status_code == 200
reset_token = requests[0]["token"]
data = dict(password="******", password_confirm="awesome sunset")
response = client_nc.post(
"/reset/" + reset_token + "?include_auth_token=1",
json=data,
headers={"Content-Type": "application/json"},
)
assert response.status_code == 200
assert "authentication_token" in response.json["response"]["user"]
# changing password should have rendered existing auth tokens invalid
verify_token(client_nc, token, status=401)
# but new auth token should work
token = response.json["response"]["user"]["authentication_token"]
verify_token(client_nc, token)
def test_bc_password(app, client_nc):
# Test behavior of BACKWARDS_COMPAT_AUTH_TOKEN_INVALID
response = json_authenticate(client_nc)
token = response.json["response"]["user"]["authentication_token"]
verify_token(client_nc, token)
data = dict(
password="******",
new_password="******",
new_password_confirm="new strong password",
)
response = client_nc.post(
"/change?include_auth_token=1",
json=data,
headers={"Content-Type": "application/json", "Authentication-Token": token},
)
assert response.status_code == 200
assert "authentication_token" in response.json["response"]["user"]
# changing password should have rendered existing auth tokens invalid
verify_token(client_nc, token, status=401)
# but new auth token should work
token = response.json["response"]["user"]["authentication_token"]
verify_token(client_nc, token)
def test_sending_auth_token_with_json(client):
response = json_authenticate(client)
token = response.jdata["response"]["user"]["authentication_token"]
data = '{"auth_token": "%s"}' % token
response = client.post(
"/token", data=data, headers={"Content-Type": "application/json"}
)
assert b"Token Authentication" in response.data
def test_sending_auth_token_with_json(client):
response = json_authenticate(client)
token = response.jdata['response']['user']['authentication_token']
data = '{"auth_token": "%s"}' % token
response = client.post('/token',
data=data,
headers={'Content-Type': 'application/json'})
assert b'Token Authentication' in response.data
def test_sending_auth_token_with_json(client):
response = json_authenticate(client)
token = response.jdata['response']['user']['authentication_token']
data = '{"auth_token": "%s"}' % token
response = client.post(
'/token',
data=data,
headers={
'Content-Type': 'application/json'})
assert b'Token Authentication' in response.data
def test_change_uniquifier(app, client_nc):
# make sure that existing token no longer works once we change the uniquifier
response = json_authenticate(client_nc)
token = response.json["response"]["user"]["authentication_token"]
verify_token(client_nc, token)
# now change uniquifier
with app.test_request_context("/"):
user = app.security.datastore.find_user(email="*****@*****.**")
app.security.datastore.reset_user_access(user)
app.security.datastore.commit()
verify_token(client_nc, token, status=401)
# get new token and verify it works
response = json_authenticate(client_nc)
token = response.json["response"]["user"]["authentication_token"]
verify_token(client_nc, token)
def test_token_change(app, client_nc):
# Verify can change password using token auth only
login_response = json_authenticate(client_nc)
token = login_response.json["response"]["user"]["authentication_token"]
data = dict(
password="******",
new_password="******",
new_password_confirm="new strong password",
)
response = client_nc.post(
"/change?include_auth_token=1",
json=data,
headers={"Content-Type": "application/json", "Authentication-Token": token},
)
assert response.status_code == 200
assert "authentication_token" in response.json["response"]["user"]
def test_authn_freshness_nc(app, client_nc, get_message):
# If don't send session cookie - then freshness always fails
@auth_required(within=30)
def myview():
return Response(status=200)
app.add_url_rule("/myview", view_func=myview, methods=["GET"])
response = json_authenticate(client_nc)
token = response.json["response"]["user"]["authentication_token"]
h = {"Authentication-Token": token}
# This should fail - should be a redirect
response = client_nc.get("/myview", headers=h, follow_redirects=False)
assert response.status_code == 302
assert (response.location ==
"http://localhost/verify?next=http%3A%2F%2Flocalhost%2Fmyview")
def test_auth_token_speed(app, client_nc):
# To run with old algorithm you have to comment out fs_uniquifier check in UserMixin
import timeit
response = json_authenticate(client_nc)
token = response.jdata["response"]["user"]["authentication_token"]
def time_get():
rp = client_nc.get(
"/login",
data={},
headers={"Content-Type": "application/json", "Authentication-Token": token},
)
assert rp.status_code == 200
t = timeit.timeit(time_get, number=50)
print("Time for 50 iterations: ", t)
def test_token_query(in_app_context):
# Verify that when authenticating with auth token (and not session)
# that there is just one DB query to get user.
app = in_app_context
populate_data(app)
client_nc = app.test_client(use_cookies=False)
response = json_authenticate(client_nc)
token = response.jdata["response"]["user"]["authentication_token"]
current_nqueries = get_num_queries(app.security.datastore)
response = client_nc.get(
"/token",
headers={"Content-Type": "application/json", "Authentication-Token": token},
)
assert response.status_code == 200
end_nqueries = get_num_queries(app.security.datastore)
assert current_nqueries is None or end_nqueries == (current_nqueries + 1)
def test_inactive_forbids_token(app, client_nc, get_message):
""" Make sure that existing token doesn't work after
user marked inactive
"""
response = json_authenticate(client_nc)
assert response.status_code == 200
token = response.jdata["response"]["user"]["authentication_token"]
headers = {"Authentication-Token": token}
# make sure can access restricted page
response = client_nc.get("/token", headers=headers)
assert b"Token Authentication" in response.data
# deactivate matt
with app.test_request_context("/"):
user = app.security.datastore.find_user(email="*****@*****.**")
app.security.datastore.deactivate_user(user)
app.security.datastore.commit()
response = client_nc.get("/token", content_type="application/json", headers=headers)
assert response.status_code == 401
def test_session_query(in_app_context):
# Verify that when authenticating with auth token (but also sending session)
# that there are 2 DB queries to get user.
# This is since the session will load one - but auth_token_required needs to
# verify that the TOKEN is valid (and it is possible that the user_id in the
# session is different that the one in the token (huh?)
app = in_app_context
populate_data(app)
client = app.test_client()
response = json_authenticate(client)
token = response.jdata["response"]["user"]["authentication_token"]
current_nqueries = get_num_queries(app.security.datastore)
response = client.get(
"/token",
headers={"Content-Type": "application/json", "Authentication-Token": token},
)
assert response.status_code == 200
end_nqueries = get_num_queries(app.security.datastore)
assert current_nqueries is None or end_nqueries == (current_nqueries + 2)
def test_invalid_json_auth(client):
response = json_authenticate(client, password='******')
assert b'"code": 400' in response.data
def test_ok_json_auth(client):
response = json_authenticate(client)
assert response.jdata['meta']['code'] == 200
assert 'authentication_token' in response.jdata['response']['user']
def test_multi_auth_token(client):
response = json_authenticate(client)
token = response.jdata['response']['user']['authentication_token']
response = client.get('/multi_auth?auth_token=' + token)
assert b'Token' in response.data
def test_token_auth_via_header_valid_token(client):
response = json_authenticate(client)
token = response.jdata['response']['user']['authentication_token']
headers = {"Authentication-Token": token}
response = client.get('/token', headers=headers)
assert b'Token Authentication' in response.data
def test_token_auth_via_querystring_valid_token(client):
response = json_authenticate(client)
token = response.jdata['response']['user']['authentication_token']
response = client.get('/token?auth_token=' + token)
assert b'Token Authentication' in response.data
def test_token_auth_via_querystring_valid_token(client):
response = json_authenticate(client)
token = response.jdata["response"]["user"]["authentication_token"]
response = client.get("/token?auth_token=" + token)
assert b"Token Authentication" in response.data
def test_multi_auth_token(client):
response = json_authenticate(client)
token = response.jdata['response']['user']['authentication_token']
response = client.get('/multi_auth?auth_token=' + token)
assert b'Token' in response.data
def test_multi_auth_token(client):
response = json_authenticate(client)
token = response.jdata["response"]["user"]["authentication_token"]
response = client.get("/multi_auth?auth_token=" + token)
assert b"Token" in response.data
def test_token_auth_via_header_valid_token(client):
response = json_authenticate(client)
token = response.jdata["response"]["user"]["authentication_token"]
headers = {"Authentication-Token": token}
response = client.get("/token", headers=headers)
assert b"Token Authentication" in response.data
def test_token_auth_via_querystring_valid_token(client):
response = json_authenticate(client)
token = response.jdata['response']['user']['authentication_token']
response = client.get('/token?auth_token=' + token)
assert b'Token Authentication' in response.data
def test_token_auth_via_header_valid_token(client):
response = json_authenticate(client)
token = response.jdata['response']['user']['authentication_token']
headers = {"Authentication-Token": token}
response = client.get('/token', headers=headers)
assert b'Token Authentication' in response.data
def test_ok_json_auth(client):
response = json_authenticate(client)
assert response.jdata['meta']['code'] == 200
assert 'authentication_token' in response.jdata['response']['user']
def test_invalid_json_auth(client):
response = json_authenticate(client, password='******')
assert b'"code": 400' in response.data
def test_ok_json_auth(client):
response = json_authenticate(client)
assert response.jdata["meta"]["code"] == 200
assert "authentication_token" in response.jdata["response"]["user"]
