Esempio n. 1
0
    def test_session_fixation(self):
        """Ensure if session is empty that a new session is given."""
        user1 = create_account('user1', '*****@*****.**', 'Password')
        activate(user1)
        resp = self.client.post(url_for('auth.signin'), data={
            'username': '******',
            'password': '******'
        })

        session_id = None
        for header in resp.headers:
            if header[0] == 'Set-Cookie':
                session_id = parse_cookie(header[1])['session']
                rs.delete(session_id)

        resp = self.client.post(url_for('auth.signin'), data={
            'username': '******',
            'password': '******'
        })

        # Find the Set-Cookie header so we can parse it and check the session
        # identifier has been updated
        for header in resp.headers:
            if header[0] == 'Set-Cookie':
                self.assertNotEqual(session_id,
                                    parse_cookie(header[1])['session'])
Esempio n. 2
0
    def test_session_fixation(self):
        """Ensure if session is empty that a new session is given."""
        user1 = create_account('user1', '*****@*****.**', 'Password')
        activate(user1)
        resp = self.client.post(url_for('auth.signin'),
                                data={
                                    'username': '******',
                                    'password': '******'
                                })

        session_id = None
        for header in resp.headers:
            if header[0] == 'Set-Cookie':
                session_id = parse_cookie(header[1])['session']
                rs.delete(session_id)

        resp = self.client.post(url_for('auth.signin'),
                                data={
                                    'username': '******',
                                    'password': '******'
                                })

        # Find the Set-Cookie header so we can parse it and check the session
        # identifier has been updated
        for header in resp.headers:
            if header[0] == 'Set-Cookie':
                self.assertNotEqual(session_id,
                                    parse_cookie(header[1])['session'])
Esempio n. 3
0
    def test_session_fixation(self):
        """Ensure if session is empty that a new session is given."""
        user1 = create_account("user1", "*****@*****.**", "Password")
        activate(user1)
        resp = self.client.post(url_for("auth.signin"), data={"username": "******", "password": "******"})

        session_id = None
        for header in resp.headers:
            if header[0] == "Set-Cookie":
                session_id = parse_cookie(header[1])["session"]
                rs.delete(session_id)

        resp = self.client.post(url_for("auth.signin"), data={"username": "******", "password": "******"})

        # Find the Set-Cookie header so we can parse it and check the session
        # identifier has been updated
        for header in resp.headers:
            if header[0] == "Set-Cookie":
                self.assertNotEqual(session_id, parse_cookie(header[1])["session"])
Esempio n. 4
0
    def test_signin_signout(self):
        """
        These functions will test the signin and signout endpoints. We will use
        url_for so that we can change the URIs in the future.
        """
        # Test that we can GET the signin page
        resp = self.client.get(url_for('auth.signin'))
        # We should get a 200 with an error message if we were not successful
        self.assertEqual(resp.status_code, 200)

        # There is no user in the system check that we can't authenticate
        resp = self.client.post(url_for('auth.signin'), data={
            'username': '******',
            'password': '******'
        })
        # We should get a 200 with an error message if we were not successful
        self.assertEqual(resp.status_code, 200)
        self.assertIn('Invalid user name or password', resp.data)

        # Why we are here we will just check that logging in doesn't raise an
        # issue if not logged in
        resp = self.client.get(url_for('auth.signout'))
        # We should be 302 redirected to /signin
        self.assertEqual(resp.status_code, 302)
        # There is nothing we can really check as we do not flash() as message

        # Create a test user and try loggin in, should fail as the user isn't
        # activated
        user1 = create_account('user1', '*****@*****.**', 'Password')
        resp = self.client.post(url_for('auth.signin'), data={
            'username': '******',
            'password': '******'
        })
        # We should get a 200 with an information message
        self.assertEqual(resp.status_code, 200)
        self.assertIn('Please activate your account', resp.data)

        # Activate account
        self.assertTrue(activate(user1))

        resp = self.client.post(url_for('auth.signin'), data={
            'username': '******',
            'password': '******',
            'keep_signed_in': True
        })
        # Check we are redirected
        self.assertEqual(resp.status_code, 302)

        # Log back out
        self.client.get(url_for('auth.signout'))

        # Test that the correct warning is shown if the user is banned
        self.assertTrue(ban(user1))
        resp = self.client.post(url_for('auth.signin'), data={
            'username': '******',
            'password': '******'
        })
        # We should get a 200 with an information message
        self.assertEqual(resp.status_code, 200)
        self.assertIn('You\'re a very naughty boy!', resp.data)
        # Lets unban the user now so we can carry on
        self.assertTrue(ban(user1, False))

        # Now the user is active and not banned actualy log in
        resp = self.client.post(url_for('auth.signin'), data={
            'username': '******',
            'password': '******'
        }, follow_redirects=True)
        self.assertEqual(resp.status_code, 200)
        self.assertIn('<h1>Feed</h1>', resp.data)

        # Attempt to try and get back to login when we are already logged in
        resp = self.client.get(url_for('auth.signin'))
        self.assertEqual(resp.status_code, 302)

        # Now we are logged in lets just ensure logout doesn't do anything daft
        # We should be redirected back to /
        resp = self.client.get(url_for('auth.signout'), follow_redirects=True)
        # We should have been 302 redirected to /signin
        self.assertEqual(resp.status_code, 200)
        self.assertIn('Successfully signed out', resp.data)

        # Lets try and cheat the system
        # Attempt invalid Password
        resp = self.client.post(url_for('auth.signin'), data={
            'username': '******',
            'password': '******'
        }, follow_redirects=True)
        # We should get a 200 with an error message if we were not successful
        self.assertEqual(resp.status_code, 200)
        self.assertIn('Invalid user name or password', resp.data)

        # Attempt user does not exist
        resp = self.client.post(url_for('auth.signin'), data={
            'username': '******',
            'password': '******'
        })
        # We should get a 200 with an error message if we were not successful
        self.assertEqual(resp.status_code, 200)
        self.assertIn('Invalid user name or password', resp.data)

        # Log the user in and ensure they are logged out if there account
        # is banned during using the site and not just at login
        resp = self.client.post(url_for('auth.signin'), data={
            'username': '******',
            'password': '******'
        }, follow_redirects=True)
        self.assertEqual(resp.status_code, 200)
        self.assertIn('<h1>Feed</h1>', resp.data)
        # Lets go to another view, we will check out profile and look for our
        # username
        resp = self.client.get(url_for('users.settings_profile'))
        self.assertEqual(resp.status_code, 200)
        self.assertIn('*****@*****.**', resp.data)
        # Let's ban the user now
        self.assertTrue(ban(user1))
        # Attempt to get to the feed
        resp = self.client.get(url_for('users.feed'), follow_redirects=True)
        # We should be redirected to signin with the standard message
        self.assertEqual(resp.status_code, 200)
        self.assertIn('You\'re a very naughty boy!', resp.data)

        # Adding test from form.validate() == False in signup
        # Coverage
        resp = self.client.post(url_for('auth.signin'), data={
            'username': '',
            'password': ''
        }, follow_redirects=True)
        self.assertEqual(resp.status_code, 200)
        self.assertIn('Invalid user name or password', resp.data)

        # Log in with user1 and remove the session part way through
        resp = self.client.post(url_for('auth.signin'), data={
            'username': '******',
            'password': '******'
        }, follow_redirects=True)
        self.assertEqual(resp.status_code, 200)

        # Find the Set-Cookie header so we can parse then delete it
        session_id = None
        for header in resp.headers:
            if header[0] == 'Set-Cookie':
                session_id = parse_cookie(header[1])['session']
                rs.delete(session_id)

        resp = self.client.get(url_for('users.profile', username='******'),
                               follow_redirects=True)
        self.assertIn('You need to be logged in to view that', resp.data)

        # Find the Set-Cookie header so we can parse it and check the session
        # identifier has been updated
        for header in resp.headers:
            if header[0] == 'Set-Cookie':
                self.assertNotEqual(session_id,
                                    parse_cookie(header[1])['session'])