def test_reset_password(database): """Test resetting a user password.""" # -- Setup ---------------------------------------------------------------- # # Create one active user. username = '******' password = '******' with database.session() as session: # After a reset request has been send the previous password should # still be valid. users = UserManager(session) auth = OpenAccessAuth(session) user_id = users.register_user(username, password).user_id # -- Test reset password -------------------------------------------------- with database.session() as session: users = UserManager(session) auth = OpenAccessAuth(session) # Ensure login works prior to reset request. token = users.login_user(username, password).api_key.value assert auth.authenticate(token).user_id == user_id request_id = users.request_password_reset(username) password = '******' user = users.reset_password(request_id=request_id, password=password) assert user.user_id == user_id # After resetting the password the previous API key for the user is # invalid with pytest.raises(err.UnauthenticatedAccessError): auth.authenticate(token) token = users.login_user('*****@*****.**', 'mypwd').api_key.value assert auth.authenticate(token).user_id == user_id # -- Test login after request --------------------------------------------- with database.session() as session: # After a reset request has been send the previous password should # still be valid. users = UserManager(session) auth = OpenAccessAuth(session) users.request_password_reset(username) token = users.login_user(username, password).api_key.value assert auth.authenticate(token).user_id == user_id # -- Test request reset for unknown user ---------------------------------- with database.session() as session: users = UserManager(session) assert users.request_password_reset('*****@*****.**') is not None # --Error cases ----------------------------------------------------------- with database.session() as session: # An error is raised when (i) trying to use a request for an unknown # user, (ii) a previously completed reset request, or (iii) an unknown # request identifier to reset a user password users = UserManager(session) with pytest.raises(err.UnknownRequestError): users.reset_password(request_id=request_id, password=password) with pytest.raises(err.UnknownRequestError): users.reset_password(request_id='UNKNOWN', password=password) with pytest.raises(err.UnknownRequestError): users.reset_password(request_id='unknown', password=password)
def test_reset_request_timeout(database): """Test resetting a user password using a request identifier that has timed out. """ # -- Setup ---------------------------------------------------------------- # # Create database with single active user. username = '******' with database.session() as session: users = UserManager(session) users.register_user(username, 'pwd1') # -- Test password reset after timed-out ---------------------------------- with database.session() as session: # Request a password reset and then sleep for a period of time that is # lonker than the token timeout period. users = UserManager(session, token_timeout=1) request_id = users.request_password_reset(username) time.sleep(2) with pytest.raises(err.UnknownRequestError): users.reset_password(request_id=request_id, password='******')