class DropdownWithAuthTests(TestCase): """Tests correct dropdown behaviour with Auth views enabled.""" urls = 'tests.browsable_api.auth_urls' def setUp(self): self.client = APIClient(enforce_csrf_checks=True) self.username = '******' self.email = '*****@*****.**' self.password = '******' self.user = User.objects.create_user(self.username, self.email, self.password) def tearDown(self): self.client.logout() def test_name_shown_when_logged_in(self): self.client.login(username=self.username, password=self.password) response = self.client.get('/') self.assertContains(response, 'john') def test_logout_shown_when_logged_in(self): self.client.login(username=self.username, password=self.password) response = self.client.get('/') self.assertContains(response, '>Log out<') def test_login_shown_when_logged_out(self): response = self.client.get('/') self.assertContains(response, '>Log in<')
def test_explicitly_enforce_csrf_checks(self): """ The test client can enforce CSRF checks. """ client = APIClient(enforce_csrf_checks=True) User.objects.create_user('example', '*****@*****.**', 'password') client.login(username='******', password='******') response = client.post('/view/') expected = {'detail': 'CSRF Failed: CSRF cookie not set.'} self.assertEqual(response.status_code, 403) self.assertEqual(response.data, expected)
class SessionAuthTests(TestCase): """User session authentication""" urls = 'tests.test_authentication' def setUp(self): self.csrf_client = APIClient(enforce_csrf_checks=True) self.non_csrf_client = APIClient(enforce_csrf_checks=False) self.username = '******' self.email = '*****@*****.**' self.password = '******' self.user = User.objects.create_user(self.username, self.email, self.password) def tearDown(self): self.csrf_client.logout() def test_login_view_renders_on_get(self): """ Ensure the login template renders for a basic GET. cf. [#1810](https://github.com/tomchristie/django-rest-framework/pull/1810) """ response = self.csrf_client.get('/auth/login/') self.assertContains(response, '<label for="id_username">Username:</label>') def test_post_form_session_auth_failing_csrf(self): """ Ensure POSTing form over session authentication without CSRF token fails. """ self.csrf_client.login(username=self.username, password=self.password) response = self.csrf_client.post('/session/', {'example': 'example'}) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) def test_post_form_session_auth_passing(self): """ Ensure POSTing form over session authentication with logged in user and CSRF token passes. """ self.non_csrf_client.login(username=self.username, password=self.password) response = self.non_csrf_client.post('/session/', {'example': 'example'}) self.assertEqual(response.status_code, status.HTTP_200_OK) def test_put_form_session_auth_passing(self): """ Ensure PUTting form over session authentication with logged in user and CSRF token passes. """ self.non_csrf_client.login(username=self.username, password=self.password) response = self.non_csrf_client.put('/session/', {'example': 'example'}) self.assertEqual(response.status_code, status.HTTP_200_OK) def test_post_form_session_auth_failing(self): """ Ensure POSTing form over session authentication without logged in user fails. """ response = self.csrf_client.post('/session/', {'example': 'example'}) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
class TestAPITestClient(TestCase): urls = 'tests.test_testing' def setUp(self): self.client = APIClient() def test_credentials(self): """ Setting `.credentials()` adds the required headers to each request. """ self.client.credentials(HTTP_AUTHORIZATION='example') for _ in range(0, 3): response = self.client.get('/view/') self.assertEqual(response.data['auth'], 'example') def test_force_authenticate(self): """ Setting `.force_authenticate()` forcibly authenticates each request. """ user = User.objects.create_user('example', '*****@*****.**') self.client.force_authenticate(user) response = self.client.get('/view/') self.assertEqual(response.data['user'], 'example') def test_force_authenticate_with_sessions(self): """ Setting `.force_authenticate()` forcibly authenticates each request. """ user = User.objects.create_user('example', '*****@*****.**') self.client.force_authenticate(user) # First request does not yet have an active session response = self.client.get('/session-view/') self.assertEqual(response.data['active_session'], False) # Subsequant requests have an active session response = self.client.get('/session-view/') self.assertEqual(response.data['active_session'], True) # Force authenticating as `None` should also logout the user session. self.client.force_authenticate(None) response = self.client.get('/session-view/') self.assertEqual(response.data['active_session'], False) def test_csrf_exempt_by_default(self): """ By default, the test client is CSRF exempt. """ User.objects.create_user('example', '*****@*****.**', 'password') self.client.login(username='******', password='******') response = self.client.post('/view/') self.assertEqual(response.status_code, 200) def test_explicitly_enforce_csrf_checks(self): """ The test client can enforce CSRF checks. """ client = APIClient(enforce_csrf_checks=True) User.objects.create_user('example', '*****@*****.**', 'password') client.login(username='******', password='******') response = client.post('/view/') expected = {'detail': 'CSRF Failed: CSRF cookie not set.'} self.assertEqual(response.status_code, 403) self.assertEqual(response.data, expected) def test_can_logout(self): """ `logout()` resets stored credentials """ self.client.credentials(HTTP_AUTHORIZATION='example') response = self.client.get('/view/') self.assertEqual(response.data['auth'], 'example') self.client.logout() response = self.client.get('/view/') self.assertEqual(response.data['auth'], b'') def test_logout_resets_force_authenticate(self): """ `logout()` resets any `force_authenticate` """ user = User.objects.create_user('example', '*****@*****.**', 'password') self.client.force_authenticate(user) response = self.client.get('/view/') self.assertEqual(response.data['user'], 'example') self.client.logout() response = self.client.get('/view/') self.assertEqual(response.data['user'], '') def test_follow_redirect(self): """ Follow redirect by setting follow argument. """ response = self.client.get('/redirect-view/') self.assertEqual(response.status_code, 302) response = self.client.get('/redirect-view/', follow=True) self.assertIsNotNone(response.redirect_chain) self.assertEqual(response.status_code, 200) response = self.client.post('/redirect-view/') self.assertEqual(response.status_code, 302) response = self.client.post('/redirect-view/', follow=True) self.assertIsNotNone(response.redirect_chain) self.assertEqual(response.status_code, 200) response = self.client.put('/redirect-view/') self.assertEqual(response.status_code, 302) response = self.client.put('/redirect-view/', follow=True) self.assertIsNotNone(response.redirect_chain) self.assertEqual(response.status_code, 200) response = self.client.patch('/redirect-view/') self.assertEqual(response.status_code, 302) response = self.client.patch('/redirect-view/', follow=True) self.assertIsNotNone(response.redirect_chain) self.assertEqual(response.status_code, 200) response = self.client.delete('/redirect-view/') self.assertEqual(response.status_code, 302) response = self.client.delete('/redirect-view/', follow=True) self.assertIsNotNone(response.redirect_chain) self.assertEqual(response.status_code, 200) response = self.client.options('/redirect-view/') self.assertEqual(response.status_code, 302) response = self.client.options('/redirect-view/', follow=True) self.assertIsNotNone(response.redirect_chain) self.assertEqual(response.status_code, 200)