def get_or_create_csrf_token(request):
token = request.META.get('CSRF_COOKIE', None)
if token is None:
token = csrf._get_new_csrf_token()
request.META['CSRF_COOKIE'] = token
request.META['CSRF_COOKIE_USED'] = True
return token
def test_deactivate_all_user_token_refresh_token(api_client, user_api_client,
customer_user):
user_api_client.token = create_access_token(customer_user)
create_refresh_token(customer_user)
csrf_token = _get_new_csrf_token()
refresh_token = create_refresh_token(customer_user,
{"csrfToken": csrf_token})
response = user_api_client.post_graphql(
MUTATION_DEACTIVATE_ALL_USER_TOKENS)
content = get_graphql_content(response)
errors = content["data"]["tokensDeactivateAll"]["accountErrors"]
assert not errors
variables = {"token": refresh_token, "csrf_token": csrf_token}
response = api_client.post_graphql(MUTATION_TOKEN_REFRESH, variables)
content = get_graphql_content(response)
data = content["data"]["tokenRefresh"]
errors = data["accountErrors"]
assert data["token"] is None
assert len(errors) == 1
assert errors[0]["code"] == AccountErrorCode.JWT_INVALID_TOKEN.name
def test_post_form_session_auth_passing_csrf(self):
"""
Ensure POSTing form over session authentication with CSRF token succeeds.
Regression test for #6088
"""
# Remove this shim when dropping support for Django 2.2.
if django.VERSION < (3, 0):
from django.middleware.csrf import _get_new_csrf_token
else:
from django.middleware.csrf import (
_get_new_csrf_string, _mask_cipher_secret
)
def _get_new_csrf_token():
return _mask_cipher_secret(_get_new_csrf_string())
self.csrf_client.login(username=self.username, password=self.password)
# Set the csrf_token cookie so that CsrfViewMiddleware._get_token() works
token = _get_new_csrf_token()
self.csrf_client.cookies[settings.CSRF_COOKIE_NAME] = token
# Post the token matching the cookie value
response = self.csrf_client.post('/session/', {
'example': 'example',
'csrfmiddlewaretoken': token,
})
assert response.status_code == status.HTTP_200_OK
def before_request():
# Reuse token if already set
csrf_token = _get_token()
if not csrf_token or g.get('csrf_cookie_needs_reset', False):
csrf_token = _get_new_csrf_token()
# Store csrf_token on g so that it can be used in
# server-rendered forms
g.csrf_token = csrf_token
def before_request():
# Reuse token if already set
csrf_token = _get_token()
if not csrf_token or g.get('csrf_cookie_needs_reset', False):
csrf_token = _get_new_csrf_token()
# Store csrf_token on g so that it can be used in
# server-rendered forms
g.csrf_token = csrf_token
def test_contributor_can_get_their_contribution(self):
refresh_token = ContributorRefreshToken.for_contributor(
self.contributor_user.uuid)
self.client.cookies[
"Authorization"] = refresh_token.long_lived_access_token
self.client.cookies["csrftoken"] = csrf._get_new_csrf_token()
my_contribution = self.contributor_user.contribution_set.first()
self.assert_contributor_can_get(
self.contribution_detail_url(my_contribution.pk))
def fake_request(self, path='/', user=None, method='GET', ajax=False, **kwargs):
csrf = kwargs.get('csrf', django_csrf._get_new_csrf_token())
request = WSGIRequest( { 'REQUEST_METHOD': method.upper(),
'PATH_INFO': path,
'wsgi.input': StringIO(),
'CSRF_COOKIE': csrf,
'HTTP_X_REQUESTED_WITH': 'XMLHttpRequest' if ajax else None})
request.user = AnonymousUser() if user is None else user
return request
def test_contributor_cannot_get_others_contribution(self):
refresh_token = ContributorRefreshToken.for_contributor(
self.contributor_user.uuid)
self.client.cookies[
"Authorization"] = refresh_token.long_lived_access_token
self.client.cookies["csrftoken"] = csrf._get_new_csrf_token()
not_my_contribution = Contribution.objects.exclude(
contributor=self.contributor_user).first()
self.assert_contributor_cannot_get(
self.contribution_detail_url(not_my_contribution.pk),
expected_status_code=status.HTTP_404_NOT_FOUND)
def setUp(self):
factory = RequestFactory(enforce_csrf_checks=True)
self.request = factory.post(
reverse("donationpage-detail", kwargs={"pk": 1}))
self.user = user_model.objects.create_user(email="*****@*****.**",
password="******")
self.request.user = self.user
self.request._dont_enforce_csrf_checks = False
valid_token_obj = AccessToken().for_user(self.user)
self.valid_jwt = jwt.encode(valid_token_obj.payload,
settings.SECRET_KEY,
algorithm="HS256")
self.invalid_jwt = "notavalidhmac"
self.csrf_token = csrf._get_new_csrf_token()
def _login(self) -> Dict[str, str]:
# Ideally, we'd migrate this to use API auth instead of
# stealing cookies, but this works for now.
auth_backend = settings.AUTHENTICATION_BACKENDS[0]
session_auth_hash = self.user_profile.get_session_auth_hash()
engine = import_module(settings.SESSION_ENGINE)
session = engine.SessionStore() # type: ignore # import_module
session[SESSION_KEY] = self.user_profile._meta.pk.value_to_string(self.user_profile)
session[BACKEND_SESSION_KEY] = auth_backend
session[HASH_SESSION_KEY] = session_auth_hash
session.save()
return {
settings.SESSION_COOKIE_NAME: session.session_key,
settings.CSRF_COOKIE_NAME: _get_new_csrf_token()}
def test_access_token_used_as_a_refresh_token(api_client, customer_user):
csrf_token = _get_new_csrf_token()
access_token = create_access_token(customer_user, {"csrfToken": csrf_token})
variables = {"token": access_token, "csrf_token": csrf_token}
response = api_client.post_graphql(MUTATION_TOKEN_REFRESH, variables)
content = get_graphql_content(response)
data = content["data"]["tokenRefresh"]
errors = data["errors"]
token = data.get("token")
assert not token
assert len(errors) == 1
assert errors[0]["code"] == AccountErrorCode.JWT_INVALID_TOKEN.name
def perform_mutation(cls, root, info, **data):
user = cls.get_user(info, data)
access_token = create_access_token(user)
csrf_token = _get_new_csrf_token()
refresh_token = create_refresh_token(user, {"csrfToken": csrf_token})
info.context.refresh_token = refresh_token
info.context._cached_user = user
user.last_login = timezone.now()
user.save(update_fields=["last_login"])
return cls(
errors=[],
user=user,
token=access_token,
refresh_token=refresh_token,
csrf_token=csrf_token,
)
def test_refresh_token_get_token_incorrect_csrf_token(api_client, customer_user):
csrf_token = _get_new_csrf_token()
refresh_token = create_refresh_token(customer_user, {"csrfToken": csrf_token})
variables = {"token": None, "csrf_token": "csrf_token"}
api_client.cookies[JWT_REFRESH_TOKEN_COOKIE_NAME] = refresh_token
api_client.cookies[JWT_REFRESH_TOKEN_COOKIE_NAME]["httponly"] = True
response = api_client.post_graphql(MUTATION_TOKEN_REFRESH, variables)
content = get_graphql_content(response)
data = content["data"]["tokenRefresh"]
errors = data["errors"]
token = data.get("token")
assert not token
assert len(errors) == 1
assert errors[0]["code"] == AccountErrorCode.JWT_INVALID_CSRF_TOKEN.name
def _login(self) -> Dict[str, str]:
# Ideally, we'd migrate this to use API auth instead of
# stealing cookies, but this works for now.
auth_backend = settings.AUTHENTICATION_BACKENDS[0]
session_auth_hash = self.user_profile.get_session_auth_hash()
engine = import_module(settings.SESSION_ENGINE)
session = engine.SessionStore() # type: ignore # import_module
session[SESSION_KEY] = self.user_profile._meta.pk.value_to_string(
self.user_profile)
session[BACKEND_SESSION_KEY] = auth_backend
session[HASH_SESSION_KEY] = session_auth_hash
session.save()
return {
settings.SESSION_COOKIE_NAME: session.session_key,
settings.CSRF_COOKIE_NAME: _get_new_csrf_token()
}
def test_refresh_token_when_user_deactivated_token(api_client, customer_user):
csrf_token = _get_new_csrf_token()
refresh_token = create_refresh_token(customer_user, {"csrfToken": csrf_token})
customer_user.jwt_token_key = "new_key"
customer_user.save()
variables = {"token": None, "csrf_token": csrf_token}
api_client.cookies[JWT_REFRESH_TOKEN_COOKIE_NAME] = refresh_token
api_client.cookies[JWT_REFRESH_TOKEN_COOKIE_NAME]["httponly"] = True
response = api_client.post_graphql(MUTATION_TOKEN_REFRESH, variables)
content = get_graphql_content(response)
data = content["data"]["tokenRefresh"]
errors = data["errors"]
assert not data["token"]
assert len(errors) == 1
assert errors[0]["code"] == AccountErrorCode.JWT_INVALID_TOKEN.name
def test_deactivate_all_user_tokens(customer_user, user_api_client):
token = create_access_token(customer_user)
jwt_key = customer_user.jwt_token_key
csrf_token = _get_new_csrf_token()
refresh_token = create_refresh_token(customer_user, {"csrfToken": csrf_token})
user_api_client.token = token
user_api_client.post_graphql(MUTATION_DEACTIVATE_ALL_USER_TOKENS)
customer_user.refresh_from_db()
new_token = create_access_token(customer_user)
new_refresh_token = create_refresh_token(customer_user, {"csrfToken": csrf_token})
# the mutation changes the parameter of jwt token, which confirms if jwt token is
# valid or not
assert jwt_decode(token)["token"] != jwt_decode(new_token)["token"]
assert jwt_decode(refresh_token)["token"] != jwt_decode(new_refresh_token)["token"]
assert jwt_key != customer_user.jwt_token_key
def test_post_form_session_auth_passing_csrf(self):
"""
Ensure POSTing form over session authentication with CSRF token succeeds.
Regression test for #6088
"""
from django.middleware.csrf import _get_new_csrf_token
self.csrf_client.login(username=self.username, password=self.password)
# Set the csrf_token cookie so that CsrfViewMiddleware._get_token() works
token = _get_new_csrf_token()
self.csrf_client.cookies[settings.CSRF_COOKIE_NAME] = token
# Post the token matching the cookie value
response = self.csrf_client.post('/session/', {
'example': 'example',
'csrfmiddlewaretoken': token,
})
assert response.status_code == status.HTTP_200_OK
def test_post_form_session_auth_passing_csrf(self):
"""
Ensure POSTing form over session authentication with CSRF token succeeds.
Regression test for #6088
"""
from django.middleware.csrf import _get_new_csrf_token
self.csrf_client.login(username=self.username, password=self.password)
# Set the csrf_token cookie so that CsrfViewMiddleware._get_token() works
token = _get_new_csrf_token()
self.csrf_client.cookies[settings.CSRF_COOKIE_NAME] = token
# Post the token matching the cookie value
response = self.csrf_client.post('/session/', {
'example': 'example',
'csrfmiddlewaretoken': token,
})
assert response.status_code == status.HTTP_200_OK
def test_create_token_sets_cookie(api_client, customer_user, settings, monkeypatch):
csrf_token = _get_new_csrf_token()
monkeypatch.setattr(
"polygon.graphql.account.mutations.jwt._get_new_csrf_token", lambda: csrf_token
)
variables = {"email": customer_user.email, "password": customer_user._password}
response = api_client.post_graphql(MUTATION_CREATE_TOKEN, variables)
expected_refresh_token = create_refresh_token(
customer_user, {"csrfToken": csrf_token}
)
refresh_token = response.cookies["refreshToken"]
assert refresh_token.value == expected_refresh_token
expected_expires = datetime.utcnow() + settings.JWT_TTL_REFRESH
expected_expires += timedelta(seconds=1)
expires = datetime.strptime(refresh_token["expires"], "%a, %d %b %Y %H:%M:%S %Z")
assert expires == expected_expires
assert refresh_token["httponly"]
assert refresh_token["secure"]
def create_tokens_from_oauth_payload(
token_data: dict,
user: User,
claims: CodeIDToken,
permissions: Optional[List[str]],
owner: str,
):
refresh_token = token_data.get("refresh_token")
access_token = token_data.get("access_token", "")
tokens = {
"token": create_jwt_token(claims, user, access_token, permissions,
owner),
}
if refresh_token:
csrf_token = _get_new_csrf_token()
tokens["refresh_token"] = create_jwt_refresh_token(
user, refresh_token, csrf_token, owner)
tokens["csrf_token"] = csrf_token
return tokens
def test_refresh_token_get_token_from_input(api_client, customer_user,
settings):
csrf_token = _get_new_csrf_token()
refresh_token = create_refresh_token(customer_user,
{"csrfToken": csrf_token})
variables = {"token": refresh_token, "csrf_token": None}
response = api_client.post_graphql(MUTATION_TOKEN_REFRESH, variables)
content = get_graphql_content(response)
data = content["data"]["tokenRefresh"]
errors = data["accountErrors"]
assert not errors
token = data.get("token")
assert token
payload = jwt_decode(token)
assert payload["email"] == customer_user.email
assert datetime.fromtimestamp(payload["iat"]) == datetime.utcnow()
assert (datetime.fromtimestamp(payload["exp"]) == datetime.utcnow() +
settings.JWT_TTL_ACCESS)
assert payload["type"] == JWT_ACCESS_TYPE
def test_refresh_token_when_expired(api_client, customer_user):
with freeze_time("2018-05-31 12:00:01"):
csrf_token = _get_new_csrf_token()
refresh_token = create_refresh_token(customer_user, {"csrfToken": csrf_token})
variables = {"token": None, "csrf_token": csrf_token}
api_client.cookies[JWT_REFRESH_TOKEN_COOKIE_NAME] = refresh_token
api_client.cookies[JWT_REFRESH_TOKEN_COOKIE_NAME]["httponly"] = True
response = api_client.post_graphql(MUTATION_TOKEN_REFRESH, variables)
content = get_graphql_content(response)
data = content["data"]["tokenRefresh"]
errors = data["errors"]
token = data.get("token")
assert not token
assert len(errors) == 1
assert errors[0]["code"] == AccountErrorCode.JWT_SIGNATURE_EXPIRED.name
def test_contributor_can_list_their_contributions(self):
refresh_token = ContributorRefreshToken.for_contributor(
self.contributor_user.uuid)
self.client.cookies[
"Authorization"] = refresh_token.long_lived_access_token
self.client.cookies["csrftoken"] = csrf._get_new_csrf_token()
def _ensure_all_contributions_belong_to_contributor(results):
contribution_ids = [result["id"] for result in results]
self.assertTrue(
set(contribution_ids).issubset(
set(
self.contributor_user.contribution_set.values_list(
"id", flat=True))))
expected_count = Contribution.objects.filter(
contributor=self.contributor_user).count()
self.assert_contributor_user_can_list(
self.list_url,
expected_count,
assert_all=_ensure_all_contributions_belong_to_contributor)
def perform_mutation(cls, root, info, **data):
zalouser = "******" % data['user']
user = cls._retrieve_user_from_zalo_credentials(zalouser, data["zalotoken"])
access_token = create_access_token(user)
csrf_token = _get_new_csrf_token()
refresh_token = create_refresh_token(user, {"csrfToken": csrf_token})
info.context.refresh_token = refresh_token
info.context._cached_user = user
user.last_login = timezone.now()
if user.pk is None:
user.save()
else:
user.save(update_fields=["last_login"])
return cls(
errors=[],
user=user,
token=access_token,
refresh_token=refresh_token,
csrf_token=csrf_token,
)
def test_refresh_token_get_token_from_cookie(api_client, customer_user,
settings):
csrf_token = _get_new_csrf_token()
refresh_token = create_refresh_token(customer_user,
{"csrfToken": csrf_token})
variables = {"token": None, "csrf_token": csrf_token}
api_client.cookies[JWT_REFRESH_TOKEN_COOKIE_NAME] = refresh_token
api_client.cookies[JWT_REFRESH_TOKEN_COOKIE_NAME]["httponly"] = True
response = api_client.post_graphql(MUTATION_TOKEN_REFRESH, variables)
content = get_graphql_content(response)
data = content["data"]["tokenRefresh"]
errors = data["accountErrors"]
assert not errors
token = data.get("token")
assert token
payload = decode(token, settings.SECRET_KEY, algorithms=JWT_ALGORITHM)
assert payload["email"] == customer_user.email
assert datetime.fromtimestamp(payload["iat"]) == datetime.utcnow()
assert (datetime.fromtimestamp(payload["exp"]) == datetime.utcnow() +
settings.JWT_TTL_ACCESS)
assert payload["type"] == JWT_ACCESS_TYPE
assert payload["token"] == customer_user.jwt_token_key
def csrf_token(self):
return str(csrf._get_new_csrf_token())
from nose.tools import nottest
from .util import MinimalQuery, FakeChangeRecord
from ..models import SemanticField, SearchWord, Lexeme
from ..serializers import SemanticFieldSerializer
from lib import util
from lib.testutil import wipd
user_model = get_user_model()
def _make_test_url(sf):
return "http://testserver" + sf.detail_url
FAKE_CSRF = _get_new_csrf_token()
class _Mixin(object):
def setUp(self):
super(_Mixin, self).setUp()
translation.activate('en-us')
# This exists so that we can use setUpTestData and setUp later.
@classmethod
def create_data_for(cls, whom):
whom.noperm = user_model.objects.create(username="******", password="******")
whom.perm = user_model.objects.create(username="******", password="******")
whom.perm.user_permissions.add(
Permission.objects.get(
content_type=ContentType.objects.get_for_model(SemanticField),
from django.middleware.csrf import _get_new_csrf_token
from cms.test_utils.testcases import BaseCMSTestCase
from nose.tools import nottest
from .util import MinimalQuery, FakeChangeRecord
from ..models import SemanticField, SearchWord, Lexeme
from ..serializers import SemanticFieldSerializer
from lib import util
from lib.testutil import wipd
user_model = get_user_model()
def _make_test_url(sf):
return "http://testserver" + sf.detail_url
FAKE_CSRF = _get_new_csrf_token().encode("utf-8")
class _Mixin(object):
def setUp(self):
super(_Mixin, self).setUp()
translation.activate('en-us')
# This exists so that we can use setUpTestData and setUp later.
@classmethod
def create_data_for(cls, whom):
whom.noperm = user_model.objects.create(username="******", password="******")
whom.perm = user_model.objects.create(username="******", password="******")
whom.perm.user_permissions.add(Permission.objects.get(
content_type=ContentType.objects.get_for_model(SemanticField),
codename="add_semanticfield"))
def get_auth_token(request):
new_auth_token = _get_new_csrf_token()
new_user = UserTokens.create(new_auth_token)
return ResponseModelJson.success(auth_tok=new_user.key)