def test_cant_recover_to_same_or_old_password_if_in_settings(self):
""" Assert that it's not possible to recover to the same or old password if configured """
ChannelSetting.objects.create(key="CANT_REUSE_LAST_PASSWORDS",
value="2",
object_channel="default")
cache.clear()
response = create_user('*****@*****.**',
'old_password')
client = APIClient()
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 200)
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 400)
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 400)
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 200)
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 200)
def test_cant_recover_with_empty_password(self):
"""Assert that it's impossible to update password through recovery to an empty password"""
# Request token
user = create_user('*****@*****.**')
mail.outbox = [] # Clear outbox
response = create_token('*****@*****.**')
# Get Token from mailbox
email_content = mail.outbox[0].alternatives[0][0]
token = re.search(
'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}',
email_content).group(0)
# Recover Password
data = {
'email': '*****@*****.**',
'token': token,
'new_password': ''
}
client = APIClient()
response = client.post(reverse('recover-password-list'),
data,
format="json")
self.assertTrue(
response.data['message'] == 'Empty password not allowed.')
self.assertTrue(response.status_code == 400)
def test_can_recover_password(self):
"""Assert the user can recover his password with a valid token"""
# request token
user = create_user('*****@*****.**')
mail.outbox = [] # clear outbox
response = create_token('*****@*****.**')
# get token from mailbox
email_content = mail.outbox[0].alternatives[0][0]
token = re.search(
'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}',
email_content).group(0)
# recover password
data = {
'email': '*****@*****.**',
'token': token,
'new_password': '******'
}
client = APIClient()
response = client.post(reverse('recover-password-list'),
data,
format="json")
self.assertTrue(response.data['message'] == 'Password updated.')
# Test authentication new password
auth = authenticate('*****@*****.**', 'newpwvalidpw*')
self.assertTrue(auth.data['access_token'] != None)
def test_cant_create_6_tokens(self):
"""Assert that it's impossible to create more than 5 tokens in less than 60 minutes"""
user = create_user('*****@*****.**')
response = None
for i in range(6):
response = create_token('*****@*****.**')
self.assertFalse(response.data.get('success', False) == True)
def test_can_recover_to_same_or_old_password(self):
""" Assert that it's possible to recover to the same or old password """
response = create_user('*****@*****.**',
'old_password')
client = APIClient()
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 200)
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 200)
create_token('*****@*****.**')
response = client.post(
reverse('recover-password-list'), {
'new_password': '******',
'token': PasswordRecoveryToken.objects.last().token
},
format="json")
self.assertTrue(response.status_code == 200)
def test_channel_based_password_recovery(self):
""" Test user creation and retrieving """
self.test_channel_based_user_creation()
# Create token
response = create_token(email="*****@*****.**", headers={"HTTP_X_OVP_CHANNEL": "test-channel"})
self.assertEqual(PasswordRecoveryToken.objects.last().channel.slug, "test-channel")
# Recover password
data = {"email": "*****@*****.**", "token": PasswordRecoveryToken.objects.last().token, "new_password": "******"}
# Attempt to use token from another channel
response = self.client.post(reverse("recover-password-list"), data, format="json")
self.assertTrue(response.data["message"] == "Invalid token.")
# Use token
response = self.client.post(reverse("recover-password-list"), data, format="json", HTTP_X_OVP_CHANNEL="test-channel")
self.assertTrue(response.data["message"] == "Password updated.")
self.assertTrue(PasswordHistory.objects.last().channel.slug == "test-channel")
def test_cant_recover_invalid_token(self):
"""Assert that it's impossible to update password through recovery with an invalid user token"""
# Request token
user = create_user('*****@*****.**')
response = create_token('*****@*****.**')
# Recover Password
data = {
'email': '*****@*****.**',
'token': 'invalid_token',
'new_password': '******'
}
client = APIClient()
response = client.post(reverse('recover-password-list'),
data,
format="json")
self.assertTrue(response.data['message'] == 'Invalid token.')
self.assertTrue(response.status_code == 401)
def test_token_for_invalid_user(self):
"""Assert the server hides the fact user don't exist when requesting token"""
response = create_token('*****@*****.**')
self.assertTrue(response.data['success'] == True)
self.assertTrue(len(mail.outbox) == 0)
def test_can_create_token(self):
"""Assert that it's possible to create an recovery token"""
user = create_user('*****@*****.**')
response = create_token()
self.assertTrue(response.data['success'] == True)