def test_post_form_failing_jwt_auth_changed_user_secret_key(self): """ Ensure changin secret key on USER level makes tokens invalid """ # fine tune settings api_settings.JWT_GET_USER_SECRET_KEY = get_jwt_secret tmp_user = CustomUser.objects.create(email='*****@*****.**') payload = utils.jwt_payload_handler(tmp_user) token = utils.jwt_encode_handler(payload) auth = 'JWT {0}'.format(token) response = self.csrf_client.post('/jwt/', {'example': 'example'}, HTTP_AUTHORIZATION=auth, format='json') self.assertEqual(response.status_code, status.HTTP_200_OK) # change token, verify tmp_user.jwt_secret = uuid.uuid4() tmp_user.save() response = self.csrf_client.post('/jwt/', {'example': 'example'}, HTTP_AUTHORIZATION=auth) self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED) # revert api settings api_settings.JWT_GET_USER_SECRET_KEY = DEFAULTS[ 'JWT_GET_USER_SECRET_KEY']
def test_jwt_encode(self): payload = utils.jwt_payload_handler(self.user) token = utils.jwt_encode_handler(payload) payload_data = base64url_decode(token.split('.')[1].encode('utf-8')) payload_from_token = json.loads(payload_data.decode('utf-8')) self.assertEqual(payload_from_token, payload)
def test_jwt_decode_verify_exp(self): api_settings.JWT_VERIFY_EXPIRATION = False payload = utils.jwt_payload_handler(self.user) payload['exp'] = 1 token = utils.jwt_encode_handler(payload) utils.jwt_decode_handler(token) api_settings.JWT_VERIFY_EXPIRATION = True
def test_jwt_payload_handler_no_email_address(self): user = CustomUserWithoutEmail.objects.create(username=self.username) payload = utils.jwt_payload_handler(user) self.assertTrue(isinstance(payload, dict)) self.assertFalse(hasattr(payload, 'email')) self.assertEqual(payload['user_id'], self.user.pk) self.assertEqual(payload['username'], self.username) self.assertTrue('exp' in payload)
def test_jwt_payload_handler(self): payload = utils.jwt_payload_handler(self.user) pytest.deprecated_call(utils.jwt_payload_handler, self.user) self.assertTrue(isinstance(payload, dict)) self.assertEqual(payload['user_id'], self.user.pk) self.assertEqual(payload['email'], self.email) self.assertEqual(payload['username'], self.username) self.assertTrue('exp' in payload)
def create_token(self, user, exp=None, orig_iat=None): payload = utils.jwt_payload_handler(user) if exp: payload['exp'] = exp if orig_iat: payload['orig_iat'] = timegm(orig_iat.utctimetuple()) token = utils.jwt_encode_handler(payload) return token
def test_post_json_passing_jwt_auth(self): """ Ensure POSTing JSON over JWT auth with correct credentials passes and does not require CSRF """ payload = utils.jwt_payload_handler(self.user) token = utils.jwt_encode_handler(payload) auth = 'JWT {0}'.format(token) response = self.csrf_client.post('/jwt/', {'example': 'example'}, HTTP_AUTHORIZATION=auth, format='json') self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_post_passing_jwt_auth_with_oauth2_priority(self): """ Ensure POSTing over JWT auth with correct credentials passes and does not require CSRF when OAuth2Authentication has priority on authentication_classes """ payload = utils.jwt_payload_handler(self.user) token = utils.jwt_encode_handler(payload) auth = 'JWT {0}'.format(token) response = self.csrf_client.post('/oauth2-jwt/', {'example': 'example'}, HTTP_AUTHORIZATION=auth, format='json') self.assertEqual(response.status_code, status.HTTP_200_OK, response)
def test_post_expired_token_failing_jwt_auth(self): """ Ensure POSTing over JWT auth with expired token fails """ payload = utils.jwt_payload_handler(self.user) payload['exp'] = 1 token = utils.jwt_encode_handler(payload) auth = 'JWT {0}'.format(token) response = self.csrf_client.post('/jwt/', {'example': 'example'}, HTTP_AUTHORIZATION=auth, format='json') msg = 'Signature has expired.' self.assertEqual(response.data['detail'], msg) self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED) self.assertEqual(response['WWW-Authenticate'], 'JWT realm="api"')
def test_jwt_login_with_expired_token(self): """ Ensure JWT login view works even if expired token is provided """ payload = utils.jwt_payload_handler(self.user) payload['exp'] = 1 token = utils.jwt_encode_handler(payload) auth = 'JWT {0}'.format(token) client = APIClient(enforce_csrf_checks=True) response = client.post('/auth-token/', self.data, HTTP_AUTHORIZATION=auth, format='json') decoded_payload = utils.jwt_decode_handler(response.data['token']) self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(decoded_payload['username'], self.username)
def test_different_auth_header_prefix(self): """ Ensure using a different setting for `JWT_AUTH_HEADER_PREFIX` and with correct credentials passes. """ api_settings.JWT_AUTH_HEADER_PREFIX = 'Bearer' payload = utils.jwt_payload_handler(self.user) token = utils.jwt_encode_handler(payload) auth = 'Bearer {0}'.format(token) response = self.csrf_client.post('/jwt/', {'example': 'example'}, HTTP_AUTHORIZATION=auth, format='json') self.assertEqual(response.status_code, status.HTTP_200_OK) # Restore original settings api_settings.JWT_AUTH_HEADER_PREFIX = DEFAULTS[ 'JWT_AUTH_HEADER_PREFIX']
def test_post_form_passing_jwt_auth(self): """ Ensure POSTing form over JWT auth with correct credentials passes and does not require CSRF """ payload = utils.jwt_payload_handler(self.user) token = utils.jwt_encode_handler(payload) auth = 'JWT {0}'.format(token) response = self.csrf_client.post('/jwt/', {'example': 'example'}, HTTP_AUTHORIZATION=auth) self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.content, b'mockview-post') # Ensure `authenticate` returned the decoded payload. self.assertEqual(response.wsgi_request.user, self.user) payload = response.wsgi_request.auth self.assertIsInstance(payload, dict) self.assertEqual(set(payload.keys()), {'user_id', 'username', 'exp', 'email'})
def test_fail_issuer_wrong(self): payload = utils.jwt_payload_handler(self.user) payload['iss'] = 'example2.com' token = utils.jwt_encode_handler(payload) with self.assertRaises(jwt.exceptions.InvalidIssuerError): utils.jwt_decode_handler(token)
def test_jwt_response_payload(self): payload = utils.jwt_payload_handler(self.user) token = utils.jwt_encode_handler(payload) response_data = utils.jwt_response_payload_handler(token) self.assertEqual(response_data, dict(token=token))
def test_jwt_decode(self): payload = utils.jwt_payload_handler(self.user) token = utils.jwt_encode_handler(payload) decoded_payload = utils.jwt_decode_handler(token) self.assertEqual(decoded_payload, payload)
def test_fail_audience_missing(self): payload = utils.jwt_payload_handler(self.user) del payload['aud'] token = utils.jwt_encode_handler(payload) with self.assertRaises(jwt.exceptions.MissingRequiredClaimError): utils.jwt_decode_handler(token)
def test_fail_audience_wrong(self): payload = utils.jwt_payload_handler(self.user) payload['aud'] = 'my_aud2' token = utils.jwt_encode_handler(payload) with self.assertRaises(jwt.exceptions.InvalidAudienceError): utils.jwt_decode_handler(token)