def test_webauthn_activate_not_enough_keys(test_client, init_database):
delete_session_cookie(test_client)
sign_in_response = sign_in(test_client, "thomas", "qghjoiwjiklwek")
activate_webautn_response = activate_webauthn(test_client)
assert b"register" in activate_webautn_response.data
user = User.query.filter_by(username="******").first()
webauthn = Webauthn.query.filter_by(user_id=user.did).first()
assert webauthn.is_enabled is False
def test_webauthn_activate_enough_keys(test_client, init_database):
delete_session_cookie(test_client)
sign_in_response = sign_in(test_client, "anna", "ukehjwqbjhwqkbejw")
activate_webautn_response = activate_webauthn(test_client)
assert b"Enabled" in activate_webautn_response.data
user = User.query.filter_by(username="******").first()
webauthn = Webauthn.query.filter_by(user_id=user.did).first()
assert webauthn.is_enabled is True
def test_remember_me_without_2fa_enabled(test_client, init_database):
login_response = sign_in_remember(
test_client,
"josh_9",
"m7ZTbjQdwuUFU/Zy6la+k6uUtniBExIgEhmBPduKexM=",
)
assert b"Hello, josh_9" in login_response.data
delete_session_cookie(test_client)
index_response = test_client.get("/")
assert b"Hello, josh_9" in index_response.data
def test_remember_me_with_2fa_enabled(test_client, init_database):
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
otp_token = enable_user_2fa(test_client)
delete_session_cookie(test_client)
sign_in_remember(test_client, "dave", "wselfknskjdksdaiujlj")
otp_code = pyotp.TOTP(otp_token).now()
send_otp_code(test_client, otp_code)
delete_session_cookie(test_client)
index_response = test_client.get("/")
assert b"Hello, dave" in index_response.data
def test_disable_2fa_fresh_session(test_client, init_database):
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
otp_token = enable_user_2fa(test_client)
delete_session_cookie(test_client)
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
otp_code = pyotp.TOTP(otp_token).now()
send_otp_code(test_client, otp_code)
index_response = test_client.get("/")
assert b"Hello, dave" in index_response.data
response = deactivate_2fa(test_client)
assert b"Deactivated 2FA" in response.data
def test_change_session_id(test_client, init_database):
response = sign_in_no_fr(test_client, "dave", "wselfknskjdksdaiujlj")
session_header = response.headers.get("Set-Cookie")
old_session = session_header.split()[0].split("=")[1]
test_client.get("/auth/revoke")
checking_response = get_index(test_client)
assert b"Hello, dave" in checking_response.data
delete_session_cookie(test_client)
test_client.set_cookie(server_name="localhost",
key="session",
value=old_session)
old_session_response = get_index(test_client)
assert b"Hello, dave" not in old_session_response.data
def test_login_with_2fa_enabled(test_client, init_database):
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
otp_token = enable_user_2fa(test_client)
delete_session_cookie(test_client)
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
assert (b"Please log in to access this page."
in test_client.get("/settings", follow_redirects=True).data)
otp_code = pyotp.TOTP(otp_token).now()
twofa_response = send_otp_code(test_client, otp_code)
assert b"Hello, dave" in twofa_response.data
delete_session_cookie(test_client)
old_otp_code = generate_otp_token_at(otp_token, 71)
login_send_old_otp_code_response = send_otp_code(test_client, old_otp_code)
assert b"Hello, dave" not in login_send_old_otp_code_response.data
delete_session_cookie(test_client)
previous_last_otp_code = generate_otp_token_at(otp_token, 37)
login_send_previous_last_otp_code_response = send_otp_code(
test_client, previous_last_otp_code)
# assert b"Hello, dave" in login_send_previous_last_otp_code_response.data
# The above and below assert result is dependent from test run time
delete_session_cookie(test_client)
future_otp_code = pyotp.TOTP(otp_token).at(datetime.now() +
timedelta(seconds=23))
login_send_future_otp_code_response = send_otp_code(
test_client, future_otp_code)
def test_disable_2fa_non_fresh_session(test_client, init_database):
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
otp_token = enable_user_2fa(test_client)
delete_session_cookie(test_client)
sign_in_remember(test_client, "dave", "wselfknskjdksdaiujlj")
otp_code = pyotp.TOTP(otp_token).now()
send_otp_code(test_client, otp_code)
delete_session_cookie(test_client)
index_response = test_client.get("/")
assert b"Hello, dave" in index_response.data
deactivate_2fa_first_response = deactivate_2fa(test_client)
assert (
b"To protect your account, please reauthenticate to access this page."
in deactivate_2fa_first_response.data)
refresh_session(test_client, "wselfknskjdksdaiujlj")
deactivate_2fa_second_response = deactivate_2fa(test_client)
assert b"Deactivated 2FA" in deactivate_2fa_second_response.data
def test_bruteforce_otp_code(test_client, init_database):
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
otp_token = enable_user_2fa(test_client)
delete_session_cookie(test_client)
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
for _ in range(3):
response = send_otp_code(test_client, "invalid")
assert response.status_code == 200
for _ in range(5):
response = send_otp_code(test_client, "invalid")
assert response.status_code == 401
otp_code = pyotp.TOTP(otp_token).now()
valid_otp_code_response = send_otp_code(test_client, otp_code)
assert valid_otp_code_response.status_code == 401
index_response = test_client.get("/", follow_redirects=True)
assert b"Hello, dave" not in index_response.data
def test_login_taken_username(test_client, init_database):
delete_session_cookie(test_client)
response = sign_in(test_client, "straw_berry", "aabbccdd")
assert b"Invalid username or password" in response.data
def test_login_without_2fa(test_client, init_database):
delete_session_cookie(test_client)
sign_in_response = sign_in(test_client, "straw_berry", "[email protected]<")
assert b"Hello, straw_berry" in sign_in_response.data