def test_sign_jwt_with_another_secret(self): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'scope': ['read', 'write'] } ) backend = ApiKeyBackend() jwt = backend.encode(base_payload={ **api_key.base_jwt_payload, 'api_key_id': api_key.id }) decoded = backend.decode(jwt) new_jwt = py_jwt.encode(payload=decoded, key='asdxxxxxxxxxxxxxxxxxxxxxxxxxxx') with self.assertRaisesMessage(JWTBackendError, 'Token is invalid or expired'): backend.decode(new_jwt, verify=True)
def test_token_has_expired(self): with self.settings(IEVV_JWT={ 'default': { 'ACCESS_TOKEN_LIFETIME': timezone.timedelta(minutes=0), } }): with mock.patch( 'ievv_auth.ievv_jwt.backends.api_key_backend.ApiKeyBackend.access_token_expiration', new_callable=PropertyMock, return_value=timezone.now() - timezone.timedelta(days=1)): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'scope': ['read', 'write'] } ) backend = ApiKeyBackend() jwt = backend.encode(base_payload={ **api_key.base_jwt_payload, 'api_key_id': api_key.id }) with self.assertRaisesMessage(JWTBackendError, 'Token is invalid or expired'): backend.decode(jwt, verify=True)
def test_verify_intercepted_payload_added_additional_scope(self): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'scope': ['read', 'write'] } ) backend = ApiKeyBackend() jwt = backend.encode(base_payload={ **api_key.base_jwt_payload, 'api_key_id': api_key.id }) [header, _, secret] = jwt.split('.') decoded = backend.decode(jwt) decoded['scope'] = 'admin' payload = base64.urlsafe_b64encode( json.dumps( decoded, separators=(',', ':') ).encode('utf-8') ).decode('utf-8') new_jwt = f'{header}.{payload}.{secret}' with self.assertRaisesMessage(JWTBackendError, 'Token is invalid or expired'): backend.decode(new_jwt, verify=True)
def test_verify_intercepted_payload_extend_expiration(self): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'scope': ['read', 'write'] } ) backend = ApiKeyBackend() jwt = backend.encode(base_payload={ **api_key.base_jwt_payload, 'api_key_id': api_key.id }) [header, _, secret] = jwt.split('.') decoded = backend.decode(jwt) decoded['exp'] = timegm((timezone.now() + timezone.timedelta(weeks=200)).utctimetuple()) payload = base64.urlsafe_b64encode( json.dumps( decoded, separators=(',', ':') ).encode('utf-8') ).decode('utf-8') new_jwt = f'{header}.{payload}.{secret}' with self.assertRaisesMessage(JWTBackendError, 'Token is invalid or expired'): backend.decode(new_jwt, verify=True)
def test_sanity(self): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'scope': ['read', 'write'] } ) backend = ApiKeyBackend() jwt = backend.encode(base_payload={ **api_key.base_jwt_payload, 'api_key_id': api_key.id }) decoded = backend.decode(jwt) self.assertIn('exp', decoded) self.assertIn('iat', decoded) self.assertIn('jti', decoded) self.assertEqual(decoded['api_key_id'], api_key.id) self.assertEqual(decoded['scope'], ['read', 'write'])
def test_fields_which_is_not_overridable_is_not_changed(self): api_key = baker.make( 'ievv_api_key.ScopedApiKey', base_jwt_payload={ 'exp': 123, 'iat': 123, 'jti': 123 } ) backend = ApiKeyBackend() jwt = backend.encode(base_payload={ **api_key.base_jwt_payload, 'api_key_id': api_key.id }) decoded = backend.decode(jwt) self.assertIn('exp', decoded) self.assertNotEqual(decoded['exp'], 123) self.assertIn('iat', decoded) self.assertNotEqual(decoded['iat'], 123) self.assertIn('jti', decoded) self.assertNotEqual(decoded['jti'], 123) self.assertEqual(decoded['api_key_id'], api_key.id)