def test_passwordInsecure_WeasylError_if_password_length_insufficient(): user_id = db_utils.create_user(email_addr=email_addr, username=user_name) password = '' # Considered insecure... for i in range(0, login._PASSWORD): with pytest.raises(WeasylError) as err: resetpassword.reset( token=token, password=password, passcheck=password, expect_userid=user_id, address=None, ) assert 'passwordInsecure' == err.value.value password += 'a' # Considered secure... password += 'a' # Success at WeasylError/forgotpasswordRecordMissing; we didn't make one yet with pytest.raises(WeasylError) as err: resetpassword.reset( token=token, password=password, passcheck=password, expect_userid=user_id, address=None, ) assert 'forgotpasswordRecordMissing' == err.value.value
def test_passwordInsecure_WeasylError_if_password_length_insufficient(): db_utils.create_user(email_addr=email_addr, username=user_name) password = '' form = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year, token=token, password=password, passcheck=password) # Considered insecure... for i in range(0, login._PASSWORD): with pytest.raises(WeasylError) as err: resetpassword.reset(form) assert 'passwordInsecure' == err.value.value password += 'a' form.password = password form.passcheck = password # Considered secure... password += 'a' form.password = password form.passcheck = password # Success at WeasylError/forgotpasswordRecordMissing; we didn't make one yet with pytest.raises(WeasylError) as err: resetpassword.reset(form) assert 'forgotpasswordRecordMissing' == err.value.value
def test_emailIncorrect_WeasylError_if_email_address_doesnt_match_stored_email( ): # Two parts: Set forgot password record; attempt reset with incorrect email # Requirement: Get token set from request() user_id = db_utils.create_user(email_addr=email_addr, username=user_name) password = '******' form_for_request = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year) resetpassword.request(form_for_request) pw_reset_token = d.engine.scalar( "SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id) # Force update link_time (required) resetpassword.prepare(pw_reset_token) email_addr_mismatch = "*****@*****.**" form_for_reset = Bag(email=email_addr_mismatch, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year, token=pw_reset_token, password=password, passcheck=password) with pytest.raises(WeasylError) as err: resetpassword.reset(form_for_reset) assert 'emailIncorrect' == err.value.value
def test_password_reset_fails_if_attempted_from_different_ip_address(): # Two parts: Set forgot password record; attempt reset with incorrect IP Address in forgotpassword table vs. requesting IP # Requirement: Get token set from request() user_id = db_utils.create_user(email_addr=email_addr, username=user_name) password = '******' form_for_request = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year) resetpassword.request(form_for_request) pw_reset_token = d.engine.scalar( "SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id) # Change IP detected when request was made (required for test) d.engine.execute( "UPDATE forgotpassword SET address = %(addr)s WHERE token = %(token)s", addr="127.42.42.42", token=pw_reset_token) # Force update link_time (required) resetpassword.prepare(pw_reset_token) form_for_reset = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year, token=pw_reset_token, password=password, passcheck=password) with pytest.raises(WeasylError) as err: resetpassword.reset(form_for_reset) assert 'addressInvalid' == err.value.value
def test_verify_success_if_correct_information_supplied(): # Subtests: # a) Verify 'authbcrypt' table has new hash # b) Verify 'forgotpassword' row is removed. # > Requirement: Get token set from request() user_id = db_utils.create_user(email_addr=email_addr, username=user_name) password = '******' form_for_request = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year) resetpassword.request(form_for_request) pw_reset_token = d.engine.scalar( "SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id) # Force update link_time (required) resetpassword.prepare(pw_reset_token) form = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year, token=pw_reset_token, password=password, passcheck=password) resetpassword.reset(form) # 'forgotpassword' row should not exist after a successful reset row_does_not_exist = d.engine.execute( "SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id) assert row_does_not_exist.first() is None bcrypt_hash = d.engine.scalar( "SELECT hashsum FROM authbcrypt WHERE userid = %(id)s", id=user_id) assert bcrypt.checkpw(password.encode('utf-8'), bcrypt_hash.encode('utf-8'))
def POST(self): form = web.input(token="", username="", email="", day="", month="", year="", password="", passcheck="") resetpassword.reset(form) return define.errorpage( self.user_id, "**Success!** Your password has been reset and you may now sign in to your account.", [["Sign In", "/signin"], ["Return to the Home Page", "/index"]])
def resetpassword_post_(request): form = request.web_input(token="", username="", email="", day="", month="", year="", password="", passcheck="") resetpassword.reset(form) return Response(define.errorpage( request.userid, "**Success!** Your password has been reset and you may now sign in to your account.", [["Sign In", "/signin"], ["Return to the Home Page", "/"]]))
def test_passwordMismatch_WeasylError_if_supplied_passwords_dont_match(): db_utils.create_user(email_addr=email_addr, username=user_name) form = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year, token=token, password='******', passcheck='asd') with pytest.raises(WeasylError) as err: resetpassword.reset(form) assert 'passwordMismatch' == err.value.value
def test_forgotpasswordRecordMissing_WeasylError_if_reset_record_not_found(): db_utils.create_user(email_addr=email_addr, username=user_name) password = '******' form = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year, token=token, password=password, passcheck=password) # Technically we did this in the above test, but for completeness, target it alone with pytest.raises(WeasylError) as err: resetpassword.reset(form) assert 'forgotpasswordRecordMissing' == err.value.value
def test_passwordMismatch_WeasylError_if_supplied_passwords_dont_match(): user_id = db_utils.create_user(email_addr=email_addr, username=user_name) with pytest.raises(WeasylError) as err: resetpassword.reset( token=token, password='******', passcheck='asd', expect_userid=user_id, address=None, ) assert 'passwordMismatch' == err.value.value
def resetpassword_post_(request): form = request.web_input(token="", username="", email="", day="", month="", year="", password="", passcheck="") resetpassword.reset(form) # Invalidate all other user sessions for this user. profile.invalidate_other_sessions(request.userid) return Response(define.errorpage( request.userid, "**Success!** Your password has been reset and you may now sign in to your account.", [["Sign In", "/signin"], ["Return to the Home Page", "/"]]))
def test_forgotpasswordRecordMissing_WeasylError_if_reset_record_not_found(): user_id = db_utils.create_user(email_addr=email_addr, username=user_name) password = '******' # Technically we did this in the above test, but for completeness, target it alone with pytest.raises(WeasylError) as err: resetpassword.reset( token=token, password=password, passcheck=password, expect_userid=user_id, address=None, ) assert 'forgotpasswordRecordMissing' == err.value.value
def test_passwordMismatch_WeasylError_if_supplied_passwords_dont_match(): db_utils.create_user(email_addr=email_addr, username=user_name) form = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year, token=token, password='******', passcheck='asd') with pytest.raises(WeasylError) as err: resetpassword.reset(form) assert 'passwordMismatch' == err.value.value
def test_forgotpasswordRecordMissing_WeasylError_if_reset_record_not_found(): db_utils.create_user(email_addr=email_addr, username=user_name) password = '******' form = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year, token=token, password=password, passcheck=password) # Technically we did this in the above test, but for completeness, target it alone with pytest.raises(WeasylError) as err: resetpassword.reset(form) assert 'forgotpasswordRecordMissing' == err.value.value
def POST(self): form = web.input(token="", username="", email="", day="", month="", year="", password="", passcheck="") resetpassword.reset(form) return define.errorpage( self.user_id, "**Success!** Your password has been reset and you may now sign in to your account.", [["Sign In", "/signin"], ["Return to the Home Page", "/index"]])
def test_emailIncorrect_WeasylError_if_username_doesnt_match_stored_username(): # Two parts: Set forgot password record; attempt reset with incorrect username # Requirement: Get token set from request() user_id = db_utils.create_user(email_addr=email_addr, username=user_name) password = '******' form_for_request = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year) resetpassword.request(form_for_request) pw_reset_token = d.engine.scalar("SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id) # Force update link_time (required) resetpassword.prepare(pw_reset_token) user_name_mismatch = "nottheaccountname123" form_for_reset = Bag(email=email_addr, username=user_name_mismatch, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year, token=pw_reset_token, password=password, passcheck=password) with pytest.raises(WeasylError) as err: resetpassword.reset(form_for_reset) assert 'usernameIncorrect' == err.value.value
def resetpassword_post_(request): expect_userid = int(request.POST['userid']) resetpassword.reset( token=request.POST['token'], password=request.POST['password'], passcheck=request.POST['passcheck'], expect_userid=expect_userid, address=request.client_addr, ) # Invalidate user sessions for this user. profile.invalidate_other_sessions(expect_userid) return Response(define.errorpage( request.userid, "**Success!** Your password has been reset and you may now sign in to your account.", [["Sign In", "/signin"], ["Return to the Home Page", "/"]]))
def test_password_reset_fails_if_attempted_from_different_ip_address(): # Two parts: Set forgot password record; attempt reset with incorrect IP Address in forgotpassword table vs. requesting IP # Requirement: Get token set from request() user_id = db_utils.create_user(email_addr=email_addr, username=user_name) password = '******' form_for_request = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year) resetpassword.request(form_for_request) pw_reset_token = d.engine.scalar("SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id) # Change IP detected when request was made (required for test) d.engine.execute("UPDATE forgotpassword SET address = %(addr)s WHERE token = %(token)s", addr="127.42.42.42", token=pw_reset_token) # Force update link_time (required) resetpassword.prepare(pw_reset_token) form_for_reset = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year, token=pw_reset_token, password=password, passcheck=password) with pytest.raises(WeasylError) as err: resetpassword.reset(form_for_reset) assert 'addressInvalid' == err.value.value
def test_passwordInsecure_WeasylError_if_password_length_insufficient(): db_utils.create_user(email_addr=email_addr, username=user_name) password = '' form = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year, token=token, password=password, passcheck=password) # Considered insecure... for i in range(0, login._PASSWORD): with pytest.raises(WeasylError) as err: resetpassword.reset(form) assert 'passwordInsecure' == err.value.value password += 'a' form.password = password form.passcheck = password # Considered secure... password += 'a' form.password = password form.passcheck = password # Success at WeasylError/forgotpasswordRecordMissing; we didn't make one yet with pytest.raises(WeasylError) as err: resetpassword.reset(form) assert 'forgotpasswordRecordMissing' == err.value.value
def test_verify_success_if_correct_information_supplied(): # Subtests: # a) Verify 'authbcrypt' table has new hash # b) Verify 'forgotpassword' row is removed. # > Requirement: Get token set from request() user_id = db_utils.create_user(email_addr=email_addr, username=user_name) password = '******' form_for_request = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year) resetpassword.request(form_for_request) pw_reset_token = d.engine.scalar("SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id) # Force update link_time (required) resetpassword.prepare(pw_reset_token) form = Bag(email=email_addr, username=user_name, day=arrow.now().day, month=arrow.now().month, year=arrow.now().year, token=pw_reset_token, password=password, passcheck=password) resetpassword.reset(form) # 'forgotpassword' row should not exist after a successful reset row_does_not_exist = d.engine.execute("SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id) assert row_does_not_exist.first() is None bcrypt_hash = d.engine.scalar("SELECT hashsum FROM authbcrypt WHERE userid = %(id)s", id=user_id) assert bcrypt.checkpw(password.encode('utf-8'), bcrypt_hash.encode('utf-8'))
def test_verify_success_if_correct_information_supplied(captured_tokens): # Subtests: # a) Verify 'authbcrypt' table has new hash # b) Verify 'forgotpassword' row is removed. # > Requirement: Get token set from request() user_id = db_utils.create_user(email_addr=email_addr, username=user_name) password = '******' resetpassword.request(email=email_addr) pw_reset_token = captured_tokens[email_addr] resetpassword.reset( token=pw_reset_token, password=password, passcheck=password, expect_userid=user_id, address=None, ) # 'forgotpassword' row should not exist after a successful reset record_count = d.engine.scalar("SELECT count(*) FROM forgotpassword") assert record_count == 0 bcrypt_hash = d.engine.scalar( "SELECT hashsum FROM authbcrypt WHERE userid = %(id)s", id=user_id) assert bcrypt.checkpw(password.encode('utf-8'), bcrypt_hash.encode('utf-8'))