def test_session_fixation(self): """Ensure if session is empty that a new session is given.""" user1 = create_account('user1', '*****@*****.**', 'Password') activate(user1) resp = self.client.post(url_for('auth.signin'), data={ 'username': '******', 'password': '******' }) session_id = None for header in resp.headers: if header[0] == 'Set-Cookie': session_id = parse_cookie(header[1])['session'] rs.delete(session_id) resp = self.client.post(url_for('auth.signin'), data={ 'username': '******', 'password': '******' }) # Find the Set-Cookie header so we can parse it and check the session # identifier has been updated for header in resp.headers: if header[0] == 'Set-Cookie': self.assertNotEqual(session_id, parse_cookie(header[1])['session'])
def test_session_fixation(self): """Ensure if session is empty that a new session is given.""" user1 = create_account("user1", "*****@*****.**", "Password") activate(user1) resp = self.client.post(url_for("auth.signin"), data={"username": "******", "password": "******"}) session_id = None for header in resp.headers: if header[0] == "Set-Cookie": session_id = parse_cookie(header[1])["session"] rs.delete(session_id) resp = self.client.post(url_for("auth.signin"), data={"username": "******", "password": "******"}) # Find the Set-Cookie header so we can parse it and check the session # identifier has been updated for header in resp.headers: if header[0] == "Set-Cookie": self.assertNotEqual(session_id, parse_cookie(header[1])["session"])
def test_signin_signout(self): """ These functions will test the signin and signout endpoints. We will use url_for so that we can change the URIs in the future. """ # Test that we can GET the signin page resp = self.client.get(url_for('auth.signin')) # We should get a 200 with an error message if we were not successful self.assertEqual(resp.status_code, 200) # There is no user in the system check that we can't authenticate resp = self.client.post(url_for('auth.signin'), data={ 'username': '******', 'password': '******' }) # We should get a 200 with an error message if we were not successful self.assertEqual(resp.status_code, 200) self.assertIn('Invalid user name or password', resp.data) # Why we are here we will just check that logging in doesn't raise an # issue if not logged in resp = self.client.get(url_for('auth.signout')) # We should be 302 redirected to /signin self.assertEqual(resp.status_code, 302) # There is nothing we can really check as we do not flash() as message # Create a test user and try loggin in, should fail as the user isn't # activated user1 = create_account('user1', '*****@*****.**', 'Password') resp = self.client.post(url_for('auth.signin'), data={ 'username': '******', 'password': '******' }) # We should get a 200 with an information message self.assertEqual(resp.status_code, 200) self.assertIn('Please activate your account', resp.data) # Activate account self.assertTrue(activate(user1)) resp = self.client.post(url_for('auth.signin'), data={ 'username': '******', 'password': '******', 'keep_signed_in': True }) # Check we are redirected self.assertEqual(resp.status_code, 302) # Log back out self.client.get(url_for('auth.signout')) # Test that the correct warning is shown if the user is banned self.assertTrue(ban(user1)) resp = self.client.post(url_for('auth.signin'), data={ 'username': '******', 'password': '******' }) # We should get a 200 with an information message self.assertEqual(resp.status_code, 200) self.assertIn('You\'re a very naughty boy!', resp.data) # Lets unban the user now so we can carry on self.assertTrue(ban(user1, False)) # Now the user is active and not banned actualy log in resp = self.client.post(url_for('auth.signin'), data={ 'username': '******', 'password': '******' }, follow_redirects=True) self.assertEqual(resp.status_code, 200) self.assertIn('<h1>Feed</h1>', resp.data) # Attempt to try and get back to login when we are already logged in resp = self.client.get(url_for('auth.signin')) self.assertEqual(resp.status_code, 302) # Now we are logged in lets just ensure logout doesn't do anything daft # We should be redirected back to / resp = self.client.get(url_for('auth.signout'), follow_redirects=True) # We should have been 302 redirected to /signin self.assertEqual(resp.status_code, 200) self.assertIn('Successfully signed out', resp.data) # Lets try and cheat the system # Attempt invalid Password resp = self.client.post(url_for('auth.signin'), data={ 'username': '******', 'password': '******' }, follow_redirects=True) # We should get a 200 with an error message if we were not successful self.assertEqual(resp.status_code, 200) self.assertIn('Invalid user name or password', resp.data) # Attempt user does not exist resp = self.client.post(url_for('auth.signin'), data={ 'username': '******', 'password': '******' }) # We should get a 200 with an error message if we were not successful self.assertEqual(resp.status_code, 200) self.assertIn('Invalid user name or password', resp.data) # Log the user in and ensure they are logged out if there account # is banned during using the site and not just at login resp = self.client.post(url_for('auth.signin'), data={ 'username': '******', 'password': '******' }, follow_redirects=True) self.assertEqual(resp.status_code, 200) self.assertIn('<h1>Feed</h1>', resp.data) # Lets go to another view, we will check out profile and look for our # username resp = self.client.get(url_for('users.settings_profile')) self.assertEqual(resp.status_code, 200) self.assertIn('*****@*****.**', resp.data) # Let's ban the user now self.assertTrue(ban(user1)) # Attempt to get to the feed resp = self.client.get(url_for('users.feed'), follow_redirects=True) # We should be redirected to signin with the standard message self.assertEqual(resp.status_code, 200) self.assertIn('You\'re a very naughty boy!', resp.data) # Adding test from form.validate() == False in signup # Coverage resp = self.client.post(url_for('auth.signin'), data={ 'username': '', 'password': '' }, follow_redirects=True) self.assertEqual(resp.status_code, 200) self.assertIn('Invalid user name or password', resp.data) # Log in with user1 and remove the session part way through resp = self.client.post(url_for('auth.signin'), data={ 'username': '******', 'password': '******' }, follow_redirects=True) self.assertEqual(resp.status_code, 200) # Find the Set-Cookie header so we can parse then delete it session_id = None for header in resp.headers: if header[0] == 'Set-Cookie': session_id = parse_cookie(header[1])['session'] rs.delete(session_id) resp = self.client.get(url_for('users.profile', username='******'), follow_redirects=True) self.assertIn('You need to be logged in to view that', resp.data) # Find the Set-Cookie header so we can parse it and check the session # identifier has been updated for header in resp.headers: if header[0] == 'Set-Cookie': self.assertNotEqual(session_id, parse_cookie(header[1])['session'])