def test_login_success(self):
user = UserProfile.objects.create(username='******',
email='*****@*****.**')
identity = {'email': '*****@*****.**', 'uid': '9001'}
self.fxa_identify.return_value = identity
response = self.client.post(self.url, {
'code': 'code',
'state': 'some-blob'
})
assert response.status_code == 200
assert response.data['email'] == '*****@*****.**'
token = response.data['token']
verify = WebTokenAuthentication().authenticate_token(token)
assert verify[0] == user
self.update_user.assert_called_with(user, identity)
def test_success_with_account_logs_in(self):
user = UserProfile.objects.create(username='******',
email='*****@*****.**',
fxa_id='10')
identity = {'email': '*****@*****.**', 'uid': '9001'}
self.fxa_identify.return_value = identity
response = self.client.get(self.url, {
'code': 'code',
'state': self.fxa_state
})
self.assertRedirects(response, reverse('home'))
token = response.cookies['api_auth_token'].value
verify = WebTokenAuthentication().authenticate_token(token)
assert verify[0] == user
self.login_user.assert_called_with(mock.ANY, user, identity)
assert not self.register_user.called
def test_success_no_account_registers(self):
user_qs = UserProfile.objects.filter(email='*****@*****.**')
assert not user_qs.exists()
identity = {u'email': u'*****@*****.**', u'uid': u'e0b6f'}
self.fxa_identify.return_value = identity
self.register_user.side_effect = (
lambda r, i: UserProfile.objects.create(
username='******', email='*****@*****.**', fxa_id='e0b6f'))
response = self.client.get(self.url, {
'code': 'codes!!',
'state': self.fxa_state
})
self.fxa_identify.assert_called_with('codes!!', config=FXA_CONFIG)
assert not self.login_user.called
self.register_user.assert_called_with(mock.ANY, identity)
token = response.cookies['api_auth_token'].value
verify = WebTokenAuthentication().authenticate_token(token)
assert verify[0] == UserProfile.objects.get(username='******')
def login_user(self, user):
identity = {
'username': user.username,
'email': user.email,
'uid': user.fxa_id,
}
self.initialize_session({'fxa_state': 'myfxastate'})
with mock.patch('olympia.accounts.views.verify.fxa_identify',
lambda code, config: identity):
response = self.client.get(
'{url}?code={code}&state={state}'.format(
url=reverse('accounts.authenticate'),
state='myfxastate',
code='thecode'))
token = response.cookies[views.API_TOKEN_COOKIE].value
assert token
verify = WebTokenAuthentication().authenticate_token(token)
assert verify[0] == user
assert self.client.session['_auth_user_id'] == str(user.id)
return token
def setUp(self):
super(TestWebTokenAuthentication, self).setUp()
self.auth = WebTokenAuthentication()
self.factory = RequestFactory()
self.user = user_factory(read_dev_agreement=datetime.now())
class TestWebTokenAuthentication(TestCase):
client_class = APITestClient
def setUp(self):
super(TestWebTokenAuthentication, self).setUp()
self.auth = WebTokenAuthentication()
self.factory = RequestFactory()
self.user = user_factory(read_dev_agreement=datetime.now())
def _authenticate(self, token):
url = absolutify('/api/v3/whatever/')
prefix = WebTokenAuthentication.auth_header_prefix
request = self.factory.post(url,
HTTP_HOST='testserver',
HTTP_AUTHORIZATION='{0} {1}'.format(
prefix, token))
return self.auth.authenticate(request)
def test_success(self):
token = self.client.generate_api_token(self.user)
user, _ = self._authenticate(token)
assert user == self.user
def test_authenticate_header(self):
request = self.factory.post('/api/v3/whatever/')
assert (self.auth.authenticate_header(request) == 'bearer realm="api"')
def test_wrong_header_only_prefix(self):
request = self.factory.post(
'/api/v3/whatever/',
HTTP_AUTHORIZATION=WebTokenAuthentication.auth_header_prefix)
with self.assertRaises(AuthenticationFailed) as exp:
self.auth.authenticate(request)
assert exp.exception.detail['code'] == 'ERROR_INVALID_HEADER'
assert exp.exception.detail['detail'] == (
'Invalid Authorization header. No credentials provided.')
def test_wrong_header_too_many_spaces(self):
request = self.factory.post(
'/api/v3/whatever/',
HTTP_AUTHORIZATION='{} foo bar'.format(
WebTokenAuthentication.auth_header_prefix))
with self.assertRaises(AuthenticationFailed) as exp:
self.auth.authenticate(request)
assert exp.exception.detail['code'] == 'ERROR_INVALID_HEADER'
assert exp.exception.detail['detail'] == (
'Invalid Authorization header. '
'Credentials string should not contain spaces.')
def test_no_token(self):
request = self.factory.post('/api/v3/whatever/')
self.auth.authenticate(request) is None
def test_expired_token(self):
old_date = datetime.now() - timedelta(
seconds=settings.SESSION_COOKIE_AGE + 1)
with freeze_time(old_date):
token = self.client.generate_api_token(self.user)
with self.assertRaises(AuthenticationFailed) as exp:
self._authenticate(token)
assert exp.exception.detail['code'] == 'ERROR_SIGNATURE_EXPIRED'
assert exp.exception.detail['detail'] == 'Signature has expired.'
def test_still_valid_token(self):
not_so_old_date = datetime.now() - timedelta(
seconds=settings.SESSION_COOKIE_AGE - 30)
with freeze_time(not_so_old_date):
token = self.client.generate_api_token(self.user)
assert self._authenticate(token)[0] == self.user
def test_bad_token(self):
token = 'garbage'
with self.assertRaises(AuthenticationFailed) as exp:
self._authenticate(token)
assert exp.exception.detail['code'] == 'ERROR_DECODING_SIGNATURE'
assert exp.exception.detail['detail'] == 'Error decoding signature.'
def test_user_id_is_none(self):
token = self.client.generate_api_token(self.user, user_id=None)
with self.assertRaises(AuthenticationFailed):
self._authenticate(token)
def test_no_user_id_in_payload(self):
data = {
'auth_hash': self.user.get_session_auth_hash(),
}
token = signing.dumps(data, salt=WebTokenAuthentication.salt)
with self.assertRaises(AuthenticationFailed):
self._authenticate(token)
def test_no_auth_hash_in_payload(self):
data = {
'user_id': self.user.pk,
}
token = signing.dumps(data, salt=WebTokenAuthentication.salt)
with self.assertRaises(AuthenticationFailed):
self._authenticate(token)
def test_user_deleted(self):
self.user.delete()
token = self.client.generate_api_token(self.user)
with self.assertRaises(AuthenticationFailed):
self._authenticate(token)
def test_invalid_user_not_found(self):
token = self.client.generate_api_token(self.user, user_id=-1)
with self.assertRaises(AuthenticationFailed):
self._authenticate(token)
def test_invalid_user_other_user(self):
user2 = user_factory(read_dev_agreement=datetime.now())
token = self.client.generate_api_token(self.user, user_id=user2.pk)
with self.assertRaises(AuthenticationFailed):
self._authenticate(token)
def test_wrong_auth_id(self):
token = self.client.generate_api_token(self.user)
self.user.update(auth_id=self.user.auth_id + 42)
with self.assertRaises(AuthenticationFailed):
self._authenticate(token)
def test_make_sure_token_is_decodable(self):
token = self.client.generate_api_token(self.user)
# A token is really a string containing the json dict,
# a timestamp and a signature, separated by ':'. The base64 encoding
# lacks padding, which is why we need to use signing.b64_decode() which
# handles that for us.
data = json.loads(signing.b64_decode(token.split(':')[0]))
assert data['user_id'] == self.user.pk
assert data['auth_hash'] == self.user.get_session_auth_hash()
def setUp(self):
super(TestWebTokenAuthentication, self).setUp()
self.auth = WebTokenAuthentication()
self.factory = RequestFactory()
self.user = user_factory(read_dev_agreement=datetime.now())
class TestWebTokenAuthentication(TestCase):
client_class = APITestClient
def setUp(self):
super(TestWebTokenAuthentication, self).setUp()
self.auth = WebTokenAuthentication()
self.factory = RequestFactory()
self.user = user_factory(read_dev_agreement=datetime.now())
def _authenticate(self, token):
url = absolutify('/api/v3/whatever/')
prefix = WebTokenAuthentication.auth_header_prefix
request = self.factory.post(
url, HTTP_HOST='testserver',
HTTP_AUTHORIZATION='{0} {1}'.format(prefix, token))
return self.auth.authenticate(request)
def test_success(self):
token = self.client.generate_api_token(self.user)
user, _ = self._authenticate(token)
assert user == self.user
def test_authenticate_header(self):
request = self.factory.post('/api/v3/whatever/')
assert (self.auth.authenticate_header(request) ==
'bearer realm="api"')
def test_wrong_header_only_prefix(self):
request = self.factory.post(
'/api/v3/whatever/',
HTTP_AUTHORIZATION=WebTokenAuthentication.auth_header_prefix)
with self.assertRaises(AuthenticationFailed) as exp:
self.auth.authenticate(request)
assert exp.exception.detail['code'] == 'ERROR_INVALID_HEADER'
assert exp.exception.detail['detail'] == (
'Invalid Authorization header. No credentials provided.')
def test_wrong_header_too_many_spaces(self):
request = self.factory.post(
'/api/v3/whatever/',
HTTP_AUTHORIZATION='{} foo bar'.format(
WebTokenAuthentication.auth_header_prefix))
with self.assertRaises(AuthenticationFailed) as exp:
self.auth.authenticate(request)
assert exp.exception.detail['code'] == 'ERROR_INVALID_HEADER'
assert exp.exception.detail['detail'] == (
'Invalid Authorization header. '
'Credentials string should not contain spaces.')
def test_no_token(self):
request = self.factory.post('/api/v3/whatever/')
self.auth.authenticate(request) is None
def test_expired_token(self):
old_date = datetime.now() - timedelta(
seconds=settings.SESSION_COOKIE_AGE + 1)
with freeze_time(old_date):
token = self.client.generate_api_token(self.user)
with self.assertRaises(AuthenticationFailed) as exp:
self._authenticate(token)
assert exp.exception.detail['code'] == 'ERROR_SIGNATURE_EXPIRED'
assert exp.exception.detail['detail'] == 'Signature has expired.'
def test_still_valid_token(self):
not_so_old_date = datetime.now() - timedelta(
seconds=settings.SESSION_COOKIE_AGE - 30)
with freeze_time(not_so_old_date):
token = self.client.generate_api_token(self.user)
assert self._authenticate(token)[0] == self.user
def test_bad_token(self):
token = 'garbage'
with self.assertRaises(AuthenticationFailed) as exp:
self._authenticate(token)
assert exp.exception.detail['code'] == 'ERROR_DECODING_SIGNATURE'
assert exp.exception.detail['detail'] == 'Error decoding signature.'
def test_user_id_is_none(self):
token = self.client.generate_api_token(self.user, user_id=None)
with self.assertRaises(AuthenticationFailed):
self._authenticate(token)
def test_no_user_id_in_payload(self):
data = {
'auth_hash': self.user.get_session_auth_hash(),
}
token = signing.dumps(data, salt=WebTokenAuthentication.salt)
with self.assertRaises(AuthenticationFailed):
self._authenticate(token)
def test_no_auth_hash_in_payload(self):
data = {
'user_id': self.user.pk,
}
token = signing.dumps(data, salt=WebTokenAuthentication.salt)
with self.assertRaises(AuthenticationFailed):
self._authenticate(token)
def test_user_deleted(self):
self.user.delete()
token = self.client.generate_api_token(self.user)
with self.assertRaises(AuthenticationFailed):
self._authenticate(token)
def test_invalid_user_not_found(self):
token = self.client.generate_api_token(self.user, user_id=-1)
with self.assertRaises(AuthenticationFailed):
self._authenticate(token)
def test_invalid_user_other_user(self):
user2 = user_factory(read_dev_agreement=datetime.now())
token = self.client.generate_api_token(self.user, user_id=user2.pk)
with self.assertRaises(AuthenticationFailed):
self._authenticate(token)
def test_wrong_auth_id(self):
token = self.client.generate_api_token(self.user)
self.user.update(auth_id=self.user.auth_id + 42)
with self.assertRaises(AuthenticationFailed):
self._authenticate(token)
def test_make_sure_token_is_decodable(self):
token = self.client.generate_api_token(self.user)
# A token is really a string containing the json dict,
# a timestamp and a signature, separated by ':'. The base64 encoding
# lacks padding, which is why we need to use signing.b64_decode() which
# handles that for us.
data = json.loads(signing.b64_decode(token.split(':')[0]))
assert data['user_id'] == self.user.pk
assert data['auth_hash'] == self.user.get_session_auth_hash()
