def test_expired_login_token(client, app, get_message):
e = "*****@*****.**"
with capture_passwordless_login_requests() as requests:
client.post("/login", data=dict(email=e), follow_redirects=True)
token = requests[0]["login_token"]
user = requests[0]["user"]
time.sleep(1)
response = client.get("/login/" + token, follow_redirects=True)
assert (get_message("LOGIN_EXPIRED",
within="1 milliseconds",
email=user.email) in response.data)
def test_spa_get_bad_token(app, client, get_message):
"""Test expired and invalid token"""
with capture_flashes() as flashes:
with capture_passwordless_login_requests() as requests:
response = client.post(
"/login",
json=dict(email="*****@*****.**"),
headers={"Content-Type": "application/json"},
)
assert response.headers["Content-Type"] == "application/json"
token = requests[0]["login_token"]
time.sleep(1)
response = client.get("/login/" + token)
assert response.status_code == 302
split = urlsplit(response.headers["Location"])
assert "localhost:8081" == split.netloc
assert "/login-error" == split.path
qparams = dict(parse_qsl(split.query))
assert all(k in qparams for k in ["email", "error", "identity"])
msg = get_message("LOGIN_EXPIRED",
within="1 milliseconds",
email="*****@*****.**")
assert msg == qparams["error"].encode("utf-8")
# Test mangled token
token = (
"WyIxNjQ2MzYiLCIxMzQ1YzBlZmVhM2VhZjYwODgwMDhhZGU2YzU0MzZjMiJd."
"BZEw_Q.lQyo3npdPZtcJ_sNHVHP103syjM"
"&url_id=fbb89a8328e58c181ea7d064c2987874bc54a23d")
response = client.get("/login/" + token)
assert response.status_code == 302
split = urlsplit(response.headers["Location"])
assert "localhost:8081" == split.netloc
assert "/login-error" == split.path
qparams = dict(parse_qsl(split.query))
assert len(qparams) == 1
assert all(k in qparams for k in ["error"])
msg = get_message("INVALID_LOGIN_TOKEN")
assert msg == qparams["error"].encode("utf-8")
assert len(flashes) == 0
def test_passwordless_template(app, client, get_message):
# Check contents of email template - this uses a test template
# in order to check all context vars since the default template
# doesn't have all of them.
with capture_passwordless_login_requests() as requests:
with app.mail.record_messages() as outbox:
client.post("/login",
data=dict(email="*****@*****.**"),
follow_redirects=True)
assert len(outbox) == 1
matcher = re.findall(r"\w+:.*", outbox[0].body, re.IGNORECASE)
# should be 4 - link, email, token, config item
assert matcher[1].split(":")[1] == "*****@*****.**"
assert matcher[2].split(":")[1] == requests[0]["login_token"]
assert matcher[3].split(":")[1] == app.config["SECURITY_CONFIRM_URL"]
# check link
link = matcher[0].split(":", 1)[1]
response = client.get(link, follow_redirects=True)
assert get_message("PASSWORDLESS_LOGIN_SUCCESSFUL") in response.data
def test_spa_get(app, client):
"""
Test 'single-page-application' style redirects
This uses json only.
"""
with capture_flashes() as flashes:
with capture_passwordless_login_requests() as requests:
response = client.post(
"/login",
json=dict(email="*****@*****.**"),
headers={"Content-Type": "application/json"},
)
assert response.headers["Content-Type"] == "application/json"
token = requests[0]["login_token"]
response = client.get("/login/" + token)
assert response.status_code == 302
split = urlsplit(response.headers["Location"])
assert "localhost:8081" == split.netloc
assert "/login-redirect" == split.path
qparams = dict(parse_qsl(split.query))
assert qparams["email"] == "*****@*****.**"
assert len(flashes) == 0
def test_passwordless_flag(app, client, get_message):
recorded = []
@login_instructions_sent.connect_via(app)
def on_instructions_sent(app, user, login_token):
assert isinstance(app, Flask)
assert isinstance(user, UserMixin)
assert isinstance(login_token, str)
recorded.append(user)
# Test disabled account
response = client.post("/login",
data=dict(email="*****@*****.**"),
follow_redirects=True)
assert get_message("DISABLED_ACCOUNT") in response.data
# Test login with json and valid email
data = dict(email="*****@*****.**")
response = client.post("/login",
json=data,
headers={"Content-Type": "application/json"})
assert response.status_code == 200
assert len(recorded) == 1
# Test login with json and invalid email
data = dict(email="*****@*****.**")
response = client.post("/login",
json=data,
headers={"Content-Type": "application/json"})
assert b"errors" in response.data
# Test sends email and shows appropriate response
with capture_passwordless_login_requests() as requests:
with app.mail.record_messages() as outbox:
response = client.post("/login",
data=dict(email="*****@*****.**"),
follow_redirects=True)
assert len(recorded) == 2
assert len(requests) == 1
assert len(outbox) == 1
assert "user" in requests[0]
assert "login_token" in requests[0]
user = requests[0]["user"]
assert get_message("LOGIN_EMAIL_SENT", email=user.email) in response.data
token = requests[0]["login_token"]
response = client.get("/login/" + token, follow_redirects=True)
assert get_message("PASSWORDLESS_LOGIN_SUCCESSFUL") in response.data
# Test already authenticated
response = client.get("/login/" + token, follow_redirects=True)
assert get_message("PASSWORDLESS_LOGIN_SUCCESSFUL") not in response.data
logout(client)
# Test invalid token
response = client.get("/login/bogus", follow_redirects=True)
assert get_message("INVALID_LOGIN_TOKEN") in response.data
# Test login request with invalid email
response = client.post("/login", data=dict(email="*****@*****.**"))
assert get_message("USER_DOES_NOT_EXIST") in response.data
