def test_password_reset_no_new_password(test_project, waf, create_users):
"""Test changing password via post."""
change_form_data = {
'username': '******',
}
selector, verifier = users._generate_split_token()
token = '{0}{1}'.format(selector.decode('utf-8'), verifier.decode('utf-8'))
with get_engine().connect() as con:
query = sa.select('*').select_from(user)
row = con.execute(query).fetchone()
change_form_data['username'] = row.username
stmt = user_password_reset.insert().values(
user_id=row.id,
selector=str(selector),
verifier=hashlib.sha256(verifier).hexdigest(),
expires=get_utc(datetime.datetime.now() +
datetime.timedelta(hours=3)),
)
con.execute(stmt)
encoded_user_id = users.encode_user_id(row.id)
request, response = testing.simulate_request(waf)
middleware = testing.injected_session_start(waf, request)
request, response = waf.server.test_client.post(
f'/auth/password_reset/{encoded_user_id}/{token}/',
json=change_form_data,
headers=testing.csrf_headers())
testing.injected_session_end(waf, middleware)
assert response.status == 401
async def generate_reset_split_token(user_id, database=None):
"""Generate a password reset token for the current user.
:param user_id: Int. User id to generate split token for.
:param database: String. Database name to connect to. (Default: None - use jawaf.auth default)
:return: String. Joined token.
"""
database = _database_key(database)
selector, verifier = _generate_split_token()
async with Connection(database) as con:
stmt = user_password_reset.insert().values(
user_id=user_id,
selector=selector,
verifier=hashlib.sha256(verifier).hexdigest(),
expires=get_utc(datetime.datetime.now() + datetime.timedelta(
hours=settings.AUTH_CONFIG['password_reset_expiration'])),
)
await con.execute(stmt)
return '%s%s' % (selector.decode('utf-8'), verifier.decode('utf-8'))
def test_password_reset(test_project, waf, create_users):
"""Test changing password via post."""
change_form_data = {
'username': '******',
'new_password': '******',
}
selector, verifier = users._generate_split_token()
token = '%s%s' % (selector.decode('utf-8'), verifier.decode('utf-8'))
with get_engine().connect() as con:
stmt = user_password_reset.insert().values(
user_id=1,
selector=str(selector),
verifier=hashlib.sha256(verifier).hexdigest(),
expires=get_utc(datetime.datetime.now() +
datetime.timedelta(hours=3)),
)
con.execute(stmt)
encoded_user_id = users.encode_user_id(1)
request, response = waf.server.test_client.post(
'/auth/password_reset/%s/%s/' % (encoded_user_id, token),
data=change_form_data)
assert response.status == 200