def test_register_with_same_deviceid_twice_fails():
unauthed_user = ScreenshotsClient()
resp = unauthed_user.session.post(
urljoin(unauthed_user.backend, "/api/register"),
data=dict(deviceId=unauthed_user.deviceId,
secret=unauthed_user.secret,
deviceInfo=json.dumps(unauthed_user.deviceInfo)))
print resp.text
assert resp.status_code == 200
# registering twice as same user should fail
resp = unauthed_user.session.post(
urljoin(unauthed_user.backend, "/api/register"),
data=dict(deviceId=unauthed_user.deviceId,
secret=unauthed_user.secret,
deviceInfo=json.dumps(unauthed_user.deviceInfo)))
print resp.text
assert resp.status_code == 401 # user exists
unauthed_user.delete_account()
# registering as second user should fail
second_unauthed_user = ScreenshotsClient()
resp = second_unauthed_user.session.post(
urljoin(second_unauthed_user.backend, "/api/register"),
data=dict(deviceId=unauthed_user.deviceId,
secret=second_unauthed_user.secret,
deviceInfo=json.dumps(second_unauthed_user.deviceInfo)))
print resp.text
assert resp.status_code == 401 # user exists
def test_register_with_same_deviceid_twice_fails():
unauthed_user = ScreenshotsClient()
resp = unauthed_user.session.post(
urljoin(unauthed_user.backend, "/api/register"),
data=dict(deviceId=unauthed_user.deviceId,
secret=unauthed_user.secret,
deviceInfo=json.dumps(unauthed_user.deviceInfo)))
print resp.text
assert resp.status_code == 200
# registering twice as same user should fail
resp = unauthed_user.session.post(
urljoin(unauthed_user.backend, "/api/register"),
data=dict(deviceId=unauthed_user.deviceId,
secret=unauthed_user.secret,
deviceInfo=json.dumps(unauthed_user.deviceInfo)))
print resp.text
assert resp.status_code == 401 # user exists
unauthed_user.delete_account()
# registering as second user should fail
second_unauthed_user = ScreenshotsClient()
resp = second_unauthed_user.session.post(
urljoin(second_unauthed_user.backend, "/api/register"),
data=dict(deviceId=unauthed_user.deviceId,
secret=second_unauthed_user.secret,
deviceInfo=json.dumps(second_unauthed_user.deviceInfo)))
print resp.text
assert resp.status_code == 401 # user exists
def test_my_shots_page():
with screenshots_session() as user:
user.read_my_shots()
# e.g. direct navigation to /shots in private window
unauthed_user = ScreenshotsClient()
response = unauthed_user.get_uri("/shots")
response.raise_for_status()
def test_my_shots_page():
with screenshots_session() as user:
user.read_my_shots()
# e.g. direct navigation to /shots in private window
unauthed_user = ScreenshotsClient()
response = unauthed_user.get_uri("/shots")
response.raise_for_status()
def test_register_without_deviceinfo_ok():
unauthed_user = ScreenshotsClient()
resp = unauthed_user.session.post(
urljoin(unauthed_user.backend, "/api/register"),
data=dict(deviceId=unauthed_user.deviceId,
secret=unauthed_user.secret))
print resp.text
assert resp.status_code == 200
unauthed_user.delete_account()
def test_register_without_deviceinfo_ok():
unauthed_user = ScreenshotsClient()
resp = unauthed_user.session.post(
urljoin(unauthed_user.backend, "/api/register"),
data=dict(deviceId=unauthed_user.deviceId,
secret=unauthed_user.secret))
print resp.text
assert resp.status_code == 200
unauthed_user.delete_account()
def test_set_login_cookie():
sess1 = ScreenshotsClient()
login_resp = sess1.login()
headers = {'x-screenshots-auth': login_resp.json()['authHeader']}
assert sess1.session.cookies['user'] and sess1.session.cookies['user.sig']
sess2 = ScreenshotsClient()
# Trying to login without any authentication won't work:
resp = sess2.session.post(sess2.backend + "/api/set-login-cookie")
assert resp.status_code == 401
assert not sess2.session.cookies.get('user')
resp = sess2.session.post(sess2.backend + "/api/set-login-cookie", headers=headers)
assert resp.status_code == 200
assert sess2.session.cookies['user'] and sess2.session.cookies['user.sig']
def test_set_login_cookie():
sess1 = ScreenshotsClient()
login_resp = sess1.login()
headers = {'x-screenshots-auth': login_resp.json()['authHeader']}
assert sess1.session.cookies['user'] and sess1.session.cookies['user.sig']
sess2 = ScreenshotsClient()
# Trying to login without any authentication won't work:
resp = sess2.session.post(sess2.backend + "/api/set-login-cookie")
assert resp.status_code == 401
assert not sess2.session.cookies.get('user')
resp = sess2.session.post(sess2.backend + "/api/set-login-cookie",
headers=headers)
assert resp.status_code == 200
assert sess2.session.cookies['user'] and sess2.session.cookies['user.sig']
def test_owned_shot_ui_with_fxa_auth():
setup_session = setup_shot_on_device()
shot_url = setup_session['shot_url']
browser_only_user = ScreenshotsBase()
# Use setup user accountId to login to a browser only session
result = browser_only_user.login(setup_session['user'].accountId)
assert setup_session['user'].deviceId == result[
'deviceid'], "Associated deviceId should match"
unauth_user = ScreenshotsClient()
copy_element = r'<img src="/static/img/icon-copy.svg[^"]*'
copy_match = match_shot_ui_element(browser_only_user, shot_url,
copy_element)
assert copy_match, "Copy button is visible"
copy_match = match_shot_ui_element(unauth_user, shot_url, copy_element)
assert copy_match is None, "Copy button is not visible"
edit_element = r'<img src="/static/img/icon-pen.svg[^"]*'
edit_match = match_shot_ui_element(browser_only_user, shot_url,
edit_element)
assert edit_match, "Edit button is visible"
edit_match = match_shot_ui_element(unauth_user, shot_url, edit_element)
assert edit_match is None, "Edit button is not visible"
setup_session['user'].delete_account()
def test_update():
user = ScreenshotsClient()
user.login()
shot_url = user.create_shot(docTitle="A_TEST_SITE_1", image_index=0)
shot_page = user.read_shot(shot_url)
assert "A_TEST_SITE_1" in shot_page["page"]
shot_id = urlparse.urlsplit(shot_url).path.strip("/")
user.create_shot(shot_id=shot_id, docTitle="A_TEST_SITE_2", image_index=1)
later_shot_page = user.read_shot(shot_url)
assert "A_TEST_SITE_2" in later_shot_page["page"]
assert later_shot_page["clip_content"]
assert later_shot_page["clip_content"] != shot_page["clip_content"]
assert later_shot_page["clip_url"] != shot_page["clip_url"]
def test_leave_screenshots_clears_csrf_cookie():
user = ScreenshotsClient()
user.login()
leave_resp = user.session.get(user.backend + "/leave-screenshots/")
assert leave_resp.status_code == 200
assert_httponly_csrf_cookie(user.session)
page = leave_resp.text
csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page)
csrf = csrf_match.group(1)
first_csrf_cookie = user.session.cookies.get('_csrf')
resp = user.session.post(urljoin(user.backend, "/leave-screenshots/leave"),
json={"_csrf": csrf})
assert resp.status_code == 200
assert first_csrf_cookie != user.session.cookies.get('_csrf')
def test_register_without_secret_fails():
unauthed_user = ScreenshotsClient()
resp = unauthed_user.session.post(
urljoin(unauthed_user.backend, "/api/register"),
data=dict(deviceId=unauthed_user.deviceId,
deviceInfo=json.dumps(unauthed_user.deviceInfo)))
print resp.text
assert resp.status_code == 400
def test_register_without_deviceid_fails():
unauthed_user = ScreenshotsClient()
resp = unauthed_user.session.post(
urljoin(unauthed_user.backend, "/api/register"),
data=dict(deviceId='',
secret=unauthed_user.secret,
deviceInfo=json.dumps(unauthed_user.deviceInfo)))
assert resp.status_code == 400, "register without device id worked"
def test_put_large_image():
user = ScreenshotsClient()
user.login()
try:
try:
user.create_shot(pad_image_to_length=100 * 1000 * 1000)
except HTTPError, e:
if e.response.status_code != 413:
raise
finally:
user.delete_account()
def test_bad_id():
user = ScreenshotsClient()
user.login()
try:
try:
user.create_shot(shot_id="!!!/test.com")
except HTTPError, e:
if e.response.status_code != 400:
raise
finally:
user.delete_account()
def test_leave_screenshots_clears_csrf_cookie():
user = ScreenshotsClient()
user.login()
leave_resp = user.session.get(user.backend + "/leave-screenshots/")
assert leave_resp.status_code == 200
assert_httponly_csrf_cookie(user.session)
page = leave_resp.text
csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page)
csrf = csrf_match.group(1)
first_csrf_cookie = user.session.cookies.get('_csrf')
resp = user.session.post(
urljoin(user.backend, "/leave-screenshots/leave"),
json={"_csrf": csrf})
assert resp.status_code == 200
assert first_csrf_cookie != user.session.cookies.get('_csrf')
def test_login_with_invalid_headers():
# might belong in test_auth.py instead
unauthed_user = ScreenshotsClient()
resp = unauthed_user.session.post(
urljoin(unauthed_user.backend, "/api/login"),
headers=dict(origin="https://localhost:8080"),
data=dict(secret=unauthed_user.secret,
deviceInfo=json.dumps(unauthed_user.deviceInfo)))
print resp.text
assert resp.status_code == 403 # Invalid CSRF Headers
def test_update():
user = ScreenshotsClient()
user.login()
shot_url = user.create_shot(docTitle="A_TEST_SITE_1", image_index=0)
shot_page = user.read_shot(shot_url)
assert "A_TEST_SITE_1" in shot_page["page"]
shot_id = urlparse.urlsplit(shot_url).path.strip("/")
user.create_shot(shot_id=shot_id, docTitle="A_TEST_SITE_2", image_index=1)
later_shot_page = user.read_shot(shot_url)
assert "A_TEST_SITE_2" in later_shot_page["page"]
assert later_shot_page["clip_content"]
assert later_shot_page["clip_content"] != shot_page["clip_content"]
assert later_shot_page["clip_url"] != shot_page["clip_url"]
def test_register_with_invalid_headers():
# might belong in test_auth.py instead
unauthed_user = ScreenshotsClient()
resp = unauthed_user.session.post(
urljoin(unauthed_user.backend, "/api/register"),
headers=dict(referer="https://localhost:8080/1Zv4srJfp50f5LaJ/localhost"),
data=dict(deviceId=unauthed_user.deviceId,
secret=unauthed_user.secret,
deviceInfo=json.dumps(unauthed_user.deviceInfo)))
print resp.text
assert resp.status_code == 403 # Invalid CSRF Headers
def test_creating_page():
with screenshots_session() as user:
shot_url = user.create_shot(docTitle="A_TEST_SITE_1", image_index=0)
shot_id = urlparse.urlsplit(shot_url).path.strip("/")
resp = user.get_uri("/creating/" + shot_id)
assert resp.status_code == 200
unauthed_user = ScreenshotsClient()
resp = requests.get(urljoin(unauthed_user.backend, "/creating/") + shot_id)
assert resp.status_code == 200
def test_put_large_image():
user = ScreenshotsClient()
user.login()
try:
try:
user.create_shot(pad_image_to_length=100 * 1000 * 1000)
except HTTPError, e:
if e.response.status_code != 413:
raise
finally:
user.delete_account()
def test_bad_id():
user = ScreenshotsClient()
user.login()
try:
try:
user.create_shot(shot_id="!!!/test.com")
except HTTPError, e:
if e.response.status_code != 400:
raise
finally:
user.delete_account()
def test_scopes():
user = ScreenshotsClient()
user.login()
abtests = user.session.cookies["abtests"]
abtests_sig = user.session.cookies["abtests.sig"]
print(abtests, abtests_sig)
shot = user.create_shot(docTitle="A_TEST_SITE")
page = user.read_shot(shot)
download_url = page["download_url"]
resp = user.session.get(download_url)
assert resp.headers.get("Content-Disposition")
mixed_up = "%s?download=%s&sig=%s" % (
download_url.split("?")[0],
urllib.quote(abtests),
urllib.quote(abtests_sig),
)
resp = user.session.get(mixed_up)
assert not resp.headers.get("Content-Disposition")
def test_download_key():
user = ScreenshotsClient()
user.login()
shot_1_url = user.create_shot(docTitle="A_TEST_SITE_1")
shot_2_url = user.create_shot(docTitle="A_TEST_SITE_2")
shot_1_page = user.read_shot(shot_1_url)
shot_2_page = user.read_shot(shot_2_url)
shot_1_download_url = shot_1_page["download_url"]
shot_2_download_url = shot_2_page["download_url"]
resp = user.session.get(shot_1_download_url)
# This should normally work:
print("Normal download URL:", shot_1_download_url)
assert resp.headers["Content-Disposition"], "Should get a proper download response"
mixed_up = shot_1_download_url.split("?")[0] + "?" + shot_2_download_url.split("?")[1]
# Getting mixed_up should fail, since the signed download parameter comes from shot_2
# but we're fetching the image from shot_1
resp = user.session.get(mixed_up)
print("Mixed-up URL:", mixed_up)
print("Response:", resp)
print("Content-Disposition header:", resp.headers.get("Content-Disposition"))
assert not resp.headers.get("Content-Disposition"), "The signature shouldn't work"
def test_dunder_version():
unauthed_user = ScreenshotsClient()
response = unauthed_user.get_uri("/__version__")
response.raise_for_status()
def test_contribute_json():
unauthed_user = ScreenshotsClient()
response = unauthed_user.get_uri("/contribute.json")
if response.status_code != 200:
response.raise_for_status()
def setup_shot_on_device():
user = ScreenshotsClient(hasAccount=True)
user.login()
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
return {'user': user, 'shot_url': shot_url}
def test_put_auth():
first_user = ScreenshotsClient()
second_user = ScreenshotsClient()
first_user.login()
second_user.login()
shot_url = first_user.create_shot(docTitle="A_TEST_SITE_1")
shot_id = urlparse.urlsplit(shot_url).path.strip("/")
shot_page = first_user.read_shot(shot_url)
print(first_user.read_shot(shot_url)["clip_url"], shot_page["clip_url"])
assert first_user.read_shot(shot_url)["clip_content"] == shot_page["clip_content"]
assert "A_TEST_SITE_1" in shot_page["page"]
try:
second_user.create_shot(shot_id=shot_id, docTitle="A_TEST_SITE_2")
except requests.HTTPError as e:
if e.response.status_code != 403:
raise
else:
assert False, "Second attempt to upload should have failed"
second_shot_page = first_user.read_shot(shot_url)
assert "A_TEST_SITE_1" in second_shot_page["page"]
assert "A_TEST_SITE_2" not in second_shot_page["page"]
assert shot_page["clip_url"] == second_shot_page["clip_url"]
assert shot_page["clip_content"] == second_shot_page["clip_content"]
def setup_shot_on_device():
user = ScreenshotsClient()
user.login()
shot_url = user.create_shot(docTitle="A_TEST_SITE_1")
return {'user': user, 'shot_url': shot_url}
def test_404_page():
unauthed_user = ScreenshotsClient()
response = unauthed_user.get_uri("/404")
if response.status_code != 404:
response.raise_for_status()
def test_put_auth():
first_user = ScreenshotsClient()
second_user = ScreenshotsClient()
first_user.login()
second_user.login()
shot_url = first_user.create_shot(docTitle="A_TEST_SITE_1")
shot_id = urlparse.urlsplit(shot_url).path.strip("/")
shot_page = first_user.read_shot(shot_url)
print(first_user.read_shot(shot_url)["clip_url"], shot_page["clip_url"])
assert first_user.read_shot(
shot_url)["clip_content"] == shot_page["clip_content"]
assert "A_TEST_SITE_1" in shot_page["page"]
try:
second_user.create_shot(shot_id=shot_id, docTitle="A_TEST_SITE_2")
except requests.HTTPError as e:
if e.response.status_code != 403:
raise
else:
assert False, "Second attempt to upload should have failed"
second_shot_page = first_user.read_shot(shot_url)
assert "A_TEST_SITE_1" in second_shot_page["page"]
assert "A_TEST_SITE_2" not in second_shot_page["page"]
assert shot_page["clip_url"] == second_shot_page["clip_url"]
assert shot_page["clip_content"] == second_shot_page["clip_content"]
def test_dunder_version():
unauthed_user = ScreenshotsClient()
response = unauthed_user.get_uri("/__version__")
response.raise_for_status()
def test_heartbeat():
unauthed_user = ScreenshotsClient()
response = unauthed_user.get_uri("/__heartbeat__")
response.raise_for_status()
def test_404_page():
unauthed_user = ScreenshotsClient()
response = unauthed_user.get_uri("/404")
if response.status_code != 404:
response.raise_for_status()
def test_contribute_json():
unauthed_user = ScreenshotsClient()
response = unauthed_user.get_uri("/contribute.json")
if response.status_code != 200:
response.raise_for_status()
def test_heartbeat():
unauthed_user = ScreenshotsClient()
response = unauthed_user.get_uri("/__heartbeat__")
response.raise_for_status()
def test_landing_page():
unauthed_user = ScreenshotsClient()
resp = unauthed_user.get_uri("/")
assert resp.status_code == 200
def test_metrics_page():
unauthed_user = ScreenshotsClient()
resp = requests.get(urljoin(unauthed_user.backend, "/metrics"))
assert resp.status_code == 200
def test_settings_page_requires_auth():
user = ScreenshotsClient()
resp = requests.get(urljoin(user.backend, "/settings"))
assert resp.url == user.backend + "/"
def test_landing_page():
unauthed_user = ScreenshotsClient()
resp = unauthed_user.get_uri("/")
assert resp.status_code == 200
