def get(self):
"""
---
get:
tags: ["Token"]
description: Gets a new user token
responses:
200:
description: Ok
"""
user_id = flask_login.current_user.fs_uniquifier
serializer = TimedJSONWebSignatureSerializer(
app.config['SECRET_KEY'],
salt="api_token",
expires_in=int(faraday_server.api_token_expiration))
hashed_data = hash_data(
flask_login.current_user.password
) if flask_login.current_user.password else None
user_ip = request.headers.get('X-Forwarded-For', request.remote_addr)
requested_at = datetime.datetime.utcnow()
audit_logger.info(
f"User [{flask_login.current_user.username}] requested token from IP [{user_ip}] at [{requested_at}]"
)
return serializer.dumps({
'user_id': user_id,
"validation_check": hashed_data
}).decode('utf-8')
def test_verify_hash(in_app_context):
data = hash_data("hellö")
assert verify_hash(data, "hellö") is True
assert verify_hash(data, "hello") is False
legacy_data = hashlib.md5(encode_string("hellö")).hexdigest()
assert verify_hash(legacy_data, "hellö") is True
assert verify_hash(legacy_data, "hello") is False
def test_verify_hash(in_app_context):
data = hash_data(u'hellö')
assert verify_hash(data, u'hellö') is True
assert verify_hash(data, u'hello') is False
legacy_data = hashlib.md5(encode_string(u'hellö')).hexdigest()
assert verify_hash(legacy_data, u'hellö') is True
assert verify_hash(legacy_data, u'hello') is False
def generate_change_email_confirmation_token(user, new_email):
"""Generates a unique confirmation token for the specified user.
Based on generate_confirmation_token in Flask-Security.
:param user: The user to work with
:param new_email: The user's new email address
"""
data = [str(user.id), hash_data(user.email), new_email]
return _security.confirm_serializer.dumps(data)
def get(self):
user_id = g.user.id
serializer = TimedJSONWebSignatureSerializer(
app.config['SECRET_KEY'],
salt="api_token",
expires_in=faraday_server.api_token_expiration
)
hashed_data = hash_data(g.user.password) if g.user.password else None
return serializer.dumps({'user_id': user_id, "validation_check": hashed_data}).decode('utf-8')
def test_hash_data(in_app_context):
data = hash_data(b"hello")
assert isinstance(data, str)
data = hash_data("hellö")
assert isinstance(data, str)
def test_legacy_hash(in_app_context, data):
legacy_hash = hashlib.md5(encode_string(data)).hexdigest()
new_hash = hash_data(data)
assert legacy_hash == new_hash
def test_hash_data(in_app_context):
data = hash_data(b'hello')
assert isinstance(data, str)
data = hash_data(u'hellö')
assert isinstance(data, str)
def test_user_registration_and_login(live_server, env_browser):
"""E2E user registration and login test."""
browser = env_browser
# 1. Go to user registration page
browser.get(flask.url_for('security.register', _external=True))
e2e_assert_url(browser, 'security.register')
# 2. Input user data
signup_form = browser.find_element_by_name('register_user_form')
input_email = signup_form.find_element_by_name('email')
input_password = signup_form.find_element_by_name('password')
# input w/ name "email"
# input w/ name "password"
user_email = '*****@*****.**'
user_password = '******'
input_email.send_keys(user_email)
input_password.send_keys(user_password)
# 3. submit form
signup_form.submit()
# ...and get a message saying to expect an email
success_element = browser.find_element_by_css_selector('.alert-success')
assert (success_element is not None)
assert (success_element.text ==
'Thank you. Confirmation instructions have been sent to {}.'.
format(user_email))
# 3.5: After registering we should not yet be logged in.
e2e_assert(browser, not testutils.webdriver_authenticated(browser),
'Should not be authenticated')
# 4. go to login-form
browser.get(flask.url_for('security.login', _external=True))
e2e_assert_url(browser, 'security.login')
login_form = browser.find_element_by_name('login_user_form')
# 5. input registered info
login_form.find_element_by_name('email').send_keys(user_email)
login_form.find_element_by_name('password').send_keys(user_password)
# 6. Submit!
login_form.submit()
# 7. We should not yet be able to log in as we haven't confirmed the email
error_element = browser.find_element_by_css_selector('.alert-danger')
assert (error_element is not None)
assert ('Email requires confirmation.' in error_element.text)
e2e_assert(browser, not testutils.webdriver_authenticated(browser),
'Should not be authenticated')
# 8. Check that the resend confirmation link works
browser.get(flask.url_for('security.send_confirmation', _external=True))
e2e_assert_url(browser, 'security.send_confirmation')
email_confirm_form = browser.find_element_by_name('send_confirmation_form')
# 8a. input registered info
email_confirm_form.find_element_by_name('email').send_keys(user_email)
# 8b. Submit!
email_confirm_form.submit()
info_element = browser.find_element_by_css_selector('.alert-info')
assert (info_element is not None)
assert ('Confirmation instructions have been sent to %s.' % user_email
in info_element.text)
# 9a Generate a confirmation token (this is how it's done in flask_security)
data = ['2', utils.hash_data(user_email)]
serializer = URLSafeTimedSerializer(secret_key="CHANGE_ME",
salt="CHANGE_ME")
token = serializer.dumps(data)
# 9b Go to the confirmation URL with our token
browser.get(
flask.url_for('security.confirm_email', token=token, _external=True))
# 9c Check that we're on the dashboard and we've got a success message
e2e_assert_url(browser, 'hep_dashboard.dashboard')
success_element = browser.find_element_by_css_selector('.alert-success')
assert (success_element is not None)
assert ('Thank you. Your email has been confirmed.'
in success_element.text)
# 9d We should now be logged in
e2e_assert(browser, testutils.webdriver_authenticated(browser),
'Should be authenticated')
# 10. logout.
browser.get(flask.url_for('security.logout', _external=True))
e2e_assert(browser, not testutils.webdriver_authenticated(browser),
'Should not be authenticated')
# 11. go back to login-form
browser.get(flask.url_for('security.login', _external=True))
e2e_assert_url(browser, 'security.login')
login_form = browser.find_element_by_name('login_user_form')
# 11a. input registered info
login_form.find_element_by_name('email').send_keys(user_email)
login_form.find_element_by_name('password').send_keys(user_password)
# 11b. Submit!
# check if authenticated at `flask.url_for('security.change_password')`
login_form.submit()
e2e_assert(browser, testutils.webdriver_authenticated(browser))
# 12. check we can access the change password screen
browser.get(flask.url_for('security.change_password', _external=True))
e2e_assert_url(browser, 'security.change_password')
# 13. logout.
browser.get(flask.url_for('security.logout', _external=True))
e2e_assert(browser, not testutils.webdriver_authenticated(browser),
'Should not be authenticated')
def test_hash_data(in_app_context):
data = hash_data(b'hello')
assert isinstance(data, string_types)
data = hash_data(u'hellö')
assert isinstance(data, string_types)
def test_legacy_hash(in_app_context, data):
legacy_hash = hashlib.md5(encode_string(data)).hexdigest()
new_hash = hash_data(data)
assert legacy_hash == new_hash