def test_shot_set_expiration_with_valid_csrftoken_ok():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
user.set_expiration(shot_url,
290) # reads and uses csrf token from shot page
user.delete_shot(shot_url) # cleanup
def test_jpeg_upload():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="TEST_JPEG",
image_content_type="image/jpeg",
image_index=0)
shot_page = user.read_shot(shot_url)
assert shot_page["clip_content_type"] == "image/jpeg"
def test_disconnect_device_with_invalid_csrftoken_fails():
with screenshots_session() as user:
resp = user.session.post(
urljoin(user.backend, '/api/disconnect-device/'),
{"_csrf": "bad-token"})
print(resp.text)
assert resp.status_code == 403 # Bad CSRF Token
def test_edit_to_set_invalid_clip_image_url_fails():
with screenshots_session() as user:
shot_id = make_random_id() + "/test.com"
shot_url = urljoin(user.backend, shot_id)
shot_data = urljoin(user.backend, "data/" + shot_id)
shot_json = make_example_shot(user.deviceId)
invalid_url = "https://example.com/?aaA=bbb=\"); background-color: red;"
# save a shot
resp = user.session.put(
shot_data,
json=shot_json,
)
assert resp.status_code == 200
csrf = user.read_shot(shot_url)['csrf']
# don't allow editing to set an invalid shot image url
resp = user.session.post(
urljoin(user.backend, "/api/save-edit"),
{
"shotId": shot_id,
"url": invalid_url,
"_csrf": csrf
},
)
print(resp.text)
assert resp.status_code == 400
user.delete_shot(shot_url)
def test_login_wrong_secret():
with screenshots_session() as user:
resp = requests.post(
urljoin(user.backend, "/api/login"),
data=dict(deviceId=user.deviceId, secret="wrong_secret", deviceInfo=json.dumps(user.deviceInfo)))
print(resp.text, resp.status_code)
assert resp.status_code == 404
def test_login_invalid_json_deviceinfo():
with screenshots_session() as user:
resp = requests.post(
urljoin(user.backend, "/api/login"),
data=dict(deviceId=user.deviceId, secret=user.secret, deviceInfo="}"))
print(resp.text, resp.status_code)
assert resp.status_code == 200
def test_my_shots_page():
with screenshots_session() as user:
user.read_my_shots()
# e.g. direct navigation to /shots in private window
unauthed_user = ScreenshotsClient()
response = unauthed_user.get_uri("/shots")
response.raise_for_status()
def test_login_wrong_secret():
with screenshots_session() as user:
resp = requests.post(
urljoin(user.backend, "/api/login"),
data=dict(deviceId=user.deviceId, secret="wrong_secret", deviceInfo=json.dumps(user.deviceInfo)))
print(resp.text, resp.status_code)
assert resp.status_code == 404
def test_my_shots_page():
with screenshots_session() as user:
user.read_my_shots()
# e.g. direct navigation to /shots in private window
unauthed_user = ScreenshotsClient()
response = unauthed_user.get_uri("/shots")
response.raise_for_status()
def test_login_missing_deviceid():
with screenshots_session() as user:
resp = requests.post(
urljoin(user.backend, "/api/login"),
data=dict(secret=user.secret, deviceInfo=json.dumps(user.deviceInfo)))
print(resp.text, resp.status_code)
assert resp.status_code == 404 # no such user
def test_login_invalid_json_deviceinfo():
with screenshots_session() as user:
resp = requests.post(
urljoin(user.backend, "/api/login"),
data=dict(deviceId=user.deviceId, secret=user.secret, deviceInfo="}"))
print(resp.text, resp.status_code)
assert resp.status_code == 200
def test_login_missing_deviceid():
with screenshots_session() as user:
resp = requests.post(
urljoin(user.backend, "/api/login"),
data=dict(secret=user.secret, deviceInfo=json.dumps(user.deviceInfo)))
print(resp.text, resp.status_code)
assert resp.status_code == 404 # no such user
def test_get_shot_sets_csrf_cookie():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1", image_index=0)
shot_id = urlsplit(shot_url).path.strip("/")
user.create_shot(shot_id=shot_id, docTitle="A_TEST_SITE_2", image_index=1)
resp = user.session.get(shot_url)
resp.raise_for_status()
assert_httponly_csrf_cookie(user.session)
def test_delete_shot_without_csrftoken_fails():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
shot_id = user._get_id_from_url(shot_url)
resp = user.session.post(urljoin(user.backend, "/api/delete-shot"),
{"id": shot_id})
print(resp.text)
assert resp.status_code == 403 # Bad CSRF Token
user.delete_shot(shot_url) # cleanup
def test_login():
with screenshots_session() as user:
resp = requests.post(urljoin(user.backend, "/api/login"),
data=dict(deviceId=user.deviceId,
secret=user.secret,
deviceInfo=json.dumps(user.deviceInfo),
ownershipCheck="fooo"))
print(resp.text, resp.status_code)
assert resp.status_code == 200
def test_disconnect_device_with_valid_csrftoken_ok():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
csrf = user.read_shot(shot_url)["csrf"]
resp = user.session.post(
urljoin(user.backend, '/api/disconnect-device/'), {"_csrf": csrf})
print(resp.text)
assert resp.status_code == 200 # ok?
user.delete_shot(shot_url) # cleanup
def test_login():
with screenshots_session() as user:
resp = requests.post(
urljoin(user.backend, "/api/login"),
data=dict(deviceId=user.deviceId,
secret=user.secret,
deviceInfo=json.dumps(user.deviceInfo),
ownershipCheck="fooo"))
print(resp.text, resp.status_code)
assert resp.status_code == 200
def test_shot_set_title_with_invalid_csrftoken_fails():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
shot_id = user._get_id_from_url(shot_url)
resp = user.session.post(
urljoin(urljoin(user.backend, "/api/set-title/"), shot_id),
{"id": shot_id, "title": "new title", "_csrf": "bad-csrf-token"})
print(resp.text)
assert resp.status_code == 403 # Bad CSRF Token
user.delete_shot(shot_url) # cleanup
def test_shot_set_expiration_with_invalid_csrftoken_fails():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
shot_id = user._get_id_from_url(shot_url)
resp = user.session.post(
urljoin(user.backend, "/api/set-expiration"),
{"id": shot_id, "expiration": "60", "_csrf": "bad-csrf-token"})
print(resp.text)
assert resp.status_code == 403 # Bad CSRF Token
user.delete_shot(shot_url) # cleanup
def test_leave_screenshots_without_csrftoken_fails():
with screenshots_session() as user:
leave_resp = user.session.get(user.backend + "/leave-screenshots/")
assert leave_resp.status_code == 200
assert_httponly_csrf_cookie(user.session)
resp = user.session.post(
urljoin(user.backend, "/leave-screenshots/leave"))
print(resp.text)
assert resp.status_code == 403
def test_shot_set_title_without_csrftoken_fails():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
shot_id = user._get_id_from_url(shot_url)
resp = user.session.post(
urljoin(urljoin(user.backend, "/api/set-title/"), shot_id),
{"id": shot_id, "title": "new title"})
print(resp.text)
assert resp.status_code == 403 # Bad CSRF Token
user.delete_shot(shot_url) # cleanup
def test_get_settings_does_not_set_csrf_cookie():
with screenshots_session() as user:
resp = user.get_settings() # GET /settings/
assert resp.status_code == 200
assert resp.cookies.get('_csrf', None) is None
# whether the 302 /settings/ -> /settings
# with set-cookie actually sets _csrf
# depends on the client
resp = user.get_uri(urljoin(user.backend, "/settings"))
assert resp.status_code == 200
assert resp.cookies.get('_csrf', None) is None
def test_creating_page():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1", image_index=0)
shot_id = urlparse.urlsplit(shot_url).path.strip("/")
resp = user.get_uri("/creating/" + shot_id)
assert resp.status_code == 200
unauthed_user = ScreenshotsClient()
resp = requests.get(urljoin(unauthed_user.backend, "/creating/") + shot_id)
assert resp.status_code == 200
def test_disconnect_device_with_valid_csrftoken_ok():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
csrf = user.read_shot(shot_url)["csrf"]
resp = user.session.post(
urljoin(user.backend, '/api/disconnect-device/'),
{"_csrf": csrf})
print(resp.text)
assert resp.status_code == 200 # ok?
user.delete_shot(shot_url) # cleanup
def test_shot_edit_without_csrftoken_fails():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
shot_id = user._get_id_from_url(shot_url)
body = {"shotId": shot_id, "_csrf": "bad-csrf-token"}
body.update(dict(url="https://example.com/edited"))
resp = user.session.post(urljoin(user.backend, '/api/save-edit'), body)
print(resp.text)
assert resp.status_code == 403 # Bad CSRF Token
user.delete_shot(shot_url) # cleanup
def test_creating_page():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1", image_index=0)
shot_id = urlparse.urlsplit(shot_url).path.strip("/")
resp = user.get_uri("/creating/" + shot_id)
assert resp.status_code == 200
unauthed_user = ScreenshotsClient()
resp = requests.get(urljoin(unauthed_user.backend, "/creating/") + shot_id)
assert resp.status_code == 200
def test_shot_set_expiration_without_csrftoken_fails():
with screenshots_session(hasAccount=True) as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
shot_id = user._get_id_from_url(shot_url)
resp = user.session.post(urljoin(user.backend, "/api/set-expiration"),
{
"id": shot_id,
"expiration": "60"
})
print(resp.text)
assert resp.status_code == 403 # Bad CSRF Token
user.delete_shot(shot_url) # cleanup
def test_leave_screenshots_with_valid_csrftoken_ok():
with screenshots_session() as user:
leave_resp = user.session.get(user.backend + "/leave-screenshots/")
assert leave_resp.status_code == 200
assert_httponly_csrf_cookie(user.session)
page = leave_resp.text
csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page)
csrf = csrf_match.group(1)
resp = user.session.post(
urljoin(user.backend, "/leave-screenshots/leave"),
json={"_csrf": csrf})
resp.raise_for_status()
def test_leave_screenshots_with_get_fails():
with screenshots_session() as user:
leave_resp = user.session.get(user.backend + "/leave-screenshots/")
assert leave_resp.status_code == 200
assert_httponly_csrf_cookie(user.session)
page = leave_resp.text
csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page)
csrf = csrf_match.group(1)
resp = user.session.get(
urljoin(user.backend, "/leave-screenshots/leave"),
params={"_csrf": csrf})
assert resp.status_code == 404
def test_shot_edit_without_csrftoken_fails():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
shot_id = user._get_id_from_url(shot_url)
body = {"shotId": shot_id, "_csrf": "bad-csrf-token"}
body.update(dict(url="https://example.com/edited"))
resp = user.session.post(
urljoin(user.backend, '/api/save-edit'),
body)
print(resp.text)
assert resp.status_code == 403 # Bad CSRF Token
user.delete_shot(shot_url) # cleanup
def test_leave_screenshots_with_duplicate_csrf_cookies_fails():
with screenshots_session() as user:
leave_resp = user.session.get(user.backend + "/leave-screenshots/")
assert leave_resp.status_code == 200
assert_httponly_csrf_cookie(user.session)
page = leave_resp.text
csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page)
csrf = csrf_match.group(1)
resp = user.session.post(
urljoin(user.backend, "/leave-screenshots/leave"),
cookies={'_csrf': user.session.cookies.get('_csrf'), # noqa: F601
'_csrf': user.session.cookies.get('_csrf')}, # noqa: F601
json={"_csrf": csrf})
assert resp.status_code == 400
def test_invalid_clip_image_url_not_saved():
with screenshots_session() as user:
shot_id = make_random_id() + "/test.com"
shot_data = urljoin(user.backend, "data/" + shot_id)
shot_json = make_example_shot(user.deviceId)
invalid_url = "https://example.com/?aaA=bbb=\"); background-color: red;"
for clip_id in shot_json['clips']:
shot_json['clips'][clip_id]['image']['url'] = invalid_url
break
resp = user.session.put(
shot_data,
json=shot_json,
)
print(resp.text)
assert resp.status_code == 500 # assertion failure on clip image url
def test_delete_shot_with_valid_csrftoken_ok():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
user.delete_shot(shot_url) # reads and uses csrf token from shot page
def test_settings_page():
with screenshots_session() as user:
user.get_settings() # raises for http error
def user_setup():
with screenshots_session() as user:
shot_id = make_random_id() + "/test.com"
shot_data = urljoin(user.backend, "data/" + shot_id)
shot_json = make_example_shot(user.deviceId)
return (shot_data, shot_json, user)
def test_settings_page():
with screenshots_session() as user:
user.get_settings() # raises for http error
def test_get_my_shots_sets_csrf_cookie():
with screenshots_session() as user:
user.read_my_shots() # raises on error
assert_httponly_csrf_cookie(user.session)
def test_shot_set_title_with_valid_csrftoken_ok():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
user.set_title(shot_url, "New Screenshot Title") # reads and uses csrf token from shot page
user.delete_shot(shot_url) # cleanup
def user_setup():
with screenshots_session() as user:
shot_id = make_random_id() + "/test.com"
shot_data = urljoin(user.backend, "data/" + shot_id)
shot_json = make_example_shot(user.deviceId)
return (shot_data, shot_json, user)
def test_shot_set_expiration_with_valid_csrftoken_ok():
with screenshots_session(hasAccount=True) as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
user.set_expiration(shot_url, 290) # reads and uses csrf token from shot page
user.delete_shot(shot_url) # cleanup
