def test_channel_based_user_creation(self):
""" Test user channel based user creation """
create_user()
self.assertEqual(User.objects.last().channel.slug, "default")
create_user(headers={"HTTP_X_OVP_CHANNEL": "test-channel"})
self.assertEqual(User.objects.last().channel.slug, "test-channel")
response = create_user(headers={"HTTP_X_OVP_CHANNEL": "test-channel"})
self.assertEqual(response.data, {"email": ["An user with this email is already registered."]})
def test_can_update_to_same_or_old_password(self):
""" Assert that it's possible to update to the same or old password """
response = create_user('*****@*****.**',
'old_password')
user = models.User.objects.get(uuid=response.data['uuid'])
client = APIClient()
client.force_authenticate(user=user)
response = client.patch(reverse('user-current-user'), {
'password': '******',
'current_password': '******'
},
format="json")
self.assertTrue(response.status_code == 200)
response = client.patch(reverse('user-current-user'), {
'password': '******',
'current_password': '******'
},
format="json")
self.assertTrue(response.status_code == 200)
response = client.patch(reverse('user-current-user'), {
'password': '******',
'current_password': '******'
},
format="json")
self.assertTrue(response.status_code == 200)
def test_can_recover_password(self):
"""Assert the user can recover his password with a valid token"""
# request token
user = create_user('*****@*****.**')
mail.outbox = [] # clear outbox
response = create_token('*****@*****.**')
# get token from mailbox
email_content = mail.outbox[0].alternatives[0][0]
token = re.search(
'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}',
email_content).group(0)
# recover password
data = {
'email': '*****@*****.**',
'token': token,
'new_password': '******'
}
client = APIClient()
response = client.post(reverse('recover-password-list'),
data,
format="json")
self.assertTrue(response.data['message'] == 'Password updated.')
# Test authentication new password
auth = authenticate('*****@*****.**', 'newpwvalidpw*')
self.assertTrue(auth.data['access_token'] != None)
def test_cant_recover_with_empty_password(self):
"""Assert that it's impossible to update password through recovery to an empty password"""
# Request token
user = create_user('*****@*****.**')
mail.outbox = [] # Clear outbox
response = create_token('*****@*****.**')
# Get Token from mailbox
email_content = mail.outbox[0].alternatives[0][0]
token = re.search(
'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}',
email_content).group(0)
# Recover Password
data = {
'email': '*****@*****.**',
'token': token,
'new_password': ''
}
client = APIClient()
response = client.post(reverse('recover-password-list'),
data,
format="json")
self.assertTrue(
response.data['message'] == 'Empty password not allowed.')
self.assertTrue(response.status_code == 400)
def test_can_recover_to_same_or_old_password(self):
""" Assert that it's possible to recover to the same or old password """
response = create_user('*****@*****.**',
'old_password')
client = APIClient()
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 200)
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 200)
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 200)
def test_cant_create_6_tokens(self):
"""Assert that it's impossible to create more than 5 tokens in less than 60 minutes"""
user = create_user('*****@*****.**')
response = None
for i in range(6):
response = create_token('*****@*****.**')
self.assertFalse(response.data.get('success', False) == True)
def test_public_bookmarks(self):
""" Assert user bookmarks are public """
response = create_user()
client = APIClient()
response = client.get(reverse('public-users-detail',
[response.data['slug']]),
format="json")
self.assertTrue(type(response.data["bookmarked_projects"]) is list)
def test_cant_retrieve_hidden_user(self):
""" Assert it's not possible to retrieve a hidden profile """
response = create_user(extra_data={'public': False})
client = APIClient()
response = client.get(reverse('public-users-detail',
[response.data['slug']]),
format="json")
self.assertTrue(response.status_code == 404)
def test_cant_login_wrong_password(self):
""" Assert that it's not possible to login with wrong password """
user = create_user('*****@*****.**', 'invalidpassword')
response = authenticate()
self.assertTrue(
response.data == {
"error": "invalid_grant",
"error_description": "Invalid credentials given."
})
def test_can_retrieve_public_user(self):
""" Assert it's possible to retrieve a public profile """
response = create_user()
client = APIClient()
response = client.get(reverse('public-users-detail',
[response.data['slug']]),
format="json")
self.assertTrue(response.data['slug'])
self.assertTrue("applies" in response.data)
def test_cant_recover_to_same_or_old_password_if_in_settings(self):
""" Assert that it's not possible to recover to the same or old password if configured """
ChannelSetting.objects.create(key="CANT_REUSE_LAST_PASSWORDS",
value="2",
object_channel="default")
cache.clear()
response = create_user('*****@*****.**',
'old_password')
client = APIClient()
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 200)
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 400)
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 400)
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 200)
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 200)
def test_can_create_user_with_valid_passwords(self):
"""Assert that it's possible to create an user with a series of valid passwords"""
passwords = [
'thisisapassword', 'password with spaces', '83721904', '837 283',
'!!#$*&()+=', ' thisisapassword '
]
for i, password in enumerate(passwords):
response = create_user('testvalidpassword{}@test.com'.format(i),
password)
self.assertTrue(response.data['uuid'])
self.assertTrue("password" not in response.data)
def test_can_set_user_to_hidden(self):
"""Assert that it's possible to set public user to hidden user"""
response = create_user()
self.assertTrue(response.data['public'] == True)
user = models.User.objects.get(uuid=response.data['uuid'])
client = APIClient()
client.force_authenticate(user=user)
response = client.patch(reverse('user-current-user'),
{'public': False},
format="json")
self.assertTrue(response.data['public'] == False)
def test_can_get_current_user(self):
"""Assert that authenticated users can get associated info"""
user = create_user('*****@*****.**',
'validpassword')
client = APIClient()
client.login(username='******',
password='******',
channel='default')
response = client.get(reverse('user-current-user'), {}, format="json")
self.assertTrue(response.data.get('email', None))
self.assertTrue(response.data.get('name', None))
self.assertTrue("expired_password" not in response.data)
def test_hidden_bookmarks(self):
""" Assert user bookmarks are are hidden bookmarks if setting applied """
ChannelSetting.objects.create(
key="ENABLE_PUBLIC_USER_BOOKMARKED_PROJECTS",
value="0",
object_channel="default")
response = create_user()
client = APIClient()
response = client.get(reverse('public-users-detail',
[response.data['slug']]),
format="json")
self.assertTrue(response.data["bookmarked_projects"] == None)
def test_cant_patch_password_without_current_password(self):
"""Assert that it's not possible to update user password without the current password"""
response = create_user('*****@*****.**', 'abcabcabc')
u = models.User.objects.get(uuid=response.data['uuid'])
data = {'password': '******'}
client = APIClient()
client.force_authenticate(user=u)
response = client.patch(reverse('user-current-user'),
data,
format="json")
self.assertTrue(response.status_code == 400)
self.assertTrue(
response.data["current_password"] == ["Invalid password."])
def test_cant_update_to_same_or_old_password_if_in_settings(self):
""" Assert that it's not possible to update to the same or old password if configured """
ChannelSetting.objects.create(key="CANT_REUSE_LAST_PASSWORDS",
value="2",
object_channel="default")
cache.clear()
response = create_user('*****@*****.**',
'old_password')
user = models.User.objects.get(uuid=response.data['uuid'])
client = APIClient()
client.force_authenticate(user=user)
response = client.patch(reverse('user-current-user'), {
'password': '******',
'current_password': '******'
},
format="json")
self.assertTrue(response.status_code == 200)
response = client.patch(reverse('user-current-user'), {
'password': '******',
'current_password': '******'
},
format="json")
self.assertTrue(response.status_code == 400)
response = client.patch(reverse('user-current-user'), {
'password': '******',
'current_password': '******'
},
format="json")
self.assertTrue(response.status_code == 400)
response = client.patch(reverse('user-current-user'), {
'password': '******',
'current_password': '******'
},
format="json")
self.assertTrue(response.status_code == 200)
response = client.patch(reverse('user-current-user'), {
'password': '******',
'current_password': '******'
},
format="json")
self.assertTrue(response.status_code == 200)
def test_can_patch_password(self):
"""Assert that it's possible to update user password"""
response = create_user('*****@*****.**', 'abcabcabc')
u = models.User.objects.get(uuid=response.data['uuid'])
data = {'password': '******', 'current_password': '******'}
client = APIClient()
client.force_authenticate(user=u)
response = client.patch(reverse('user-current-user'),
data,
format="json")
self.assertTrue(response.status_code == 200)
self.assertTrue("password" not in response.data)
response = authenticate('*****@*****.**',
data['password'])
self.assertTrue(response.data['access_token'] != None)
def test_cant_update_invalid_password(self):
"""Assert that it's impossible to update user password to a invalid password"""
response = create_user('*****@*****.**', 'abcabcabc')
u = models.User.objects.get(uuid=response.data['uuid'])
data = {
'name': 'abc',
'password': '******',
'current_password': '******'
}
client = APIClient()
client.force_authenticate(user=u)
response = client.patch(reverse('user-current-user'),
data,
format="json")
self.assertTrue(response.status_code == 400)
self.assertTrue(len(response.data['password']) > 0)
self.assertTrue(isinstance(response.data['password'], list))
def test_cant_recover_invalid_token(self):
"""Assert that it's impossible to update password through recovery with an invalid user token"""
# Request token
user = create_user('*****@*****.**')
response = create_token('*****@*****.**')
# Recover Password
data = {
'email': '*****@*****.**',
'token': 'invalid_token',
'new_password': '******'
}
client = APIClient()
response = client.post(reverse('recover-password-list'),
data,
format="json")
self.assertTrue(response.data['message'] == 'Invalid token.')
self.assertTrue(response.status_code == 401)
def test_expired_password_fields(self):
"""Assert that password expired field works"""
ChannelSetting.objects.create(key="EXPIRE_PASSWORD_IN",
value="{}".format(60 * 60),
object_channel="default")
cache.clear()
user = create_user('*****@*****.**',
'validpassword')
client = APIClient()
client.login(username='******',
password='******',
channel='default')
response = client.get(reverse('user-current-user'), {}, format="json")
self.assertTrue(response.data['expired_password'] == False)
entry = models.PasswordHistory.objects.last()
entry.created_date = entry.created_date - relativedelta(hours=1)
entry.save()
response = client.get(reverse('user-current-user'), {}, format="json")
self.assertTrue(response.data['expired_password'] == True)
def test_can_login(self):
""" Assert that it's possible to login """
user = create_user('*****@*****.**', 'validpassword')
response = authenticate()
self.assertTrue(response.data['access_token'] != None)
def test_doesnt_return_password_on_user_creation(self):
"""Assert that the serializer does not return user hashed password """
response = create_user()
self.assertTrue(response.data.get('password', None) == None)
def test_can_create_token(self):
"""Assert that it's possible to create an recovery token"""
user = create_user('*****@*****.**')
response = create_token()
self.assertTrue(response.data['success'] == True)
def test_cant_create_user_invalid_password(self):
"""Assert that it's not possible to create an user with a repeated email"""
response = create_user('*****@*****.**',
'abc')
self.assertTrue(len(response.data['password']) > 0)
self.assertTrue(isinstance(response.data['password'], list))
def test_cant_create_user_duplicated_email(self):
"""Assert that it's not possible to create an user with a repeated email"""
response = create_user()
self.assertTrue(response.data['uuid'])
def test_can_create_hidden_user(self):
"""Assert that it's possible to create a hidden user"""
response = create_user(extra_data={'public': False})
self.assertTrue(response.data['public'] == False)
def test_can_create_user(self):
"""Assert that it's possible to create an user"""
response = create_user()
self.assertTrue(response.data['uuid'])
self.assertTrue("password" not in response.data)
