def test_passwordInsecure_WeasylError_if_password_length_insufficient():
user_id = db_utils.create_user(email_addr=email_addr, username=user_name)
password = ''
# Considered insecure...
for i in range(0, login._PASSWORD):
with pytest.raises(WeasylError) as err:
resetpassword.reset(
token=token,
password=password,
passcheck=password,
expect_userid=user_id,
address=None,
)
assert 'passwordInsecure' == err.value.value
password += 'a'
# Considered secure...
password += 'a'
# Success at WeasylError/forgotpasswordRecordMissing; we didn't make one yet
with pytest.raises(WeasylError) as err:
resetpassword.reset(
token=token,
password=password,
passcheck=password,
expect_userid=user_id,
address=None,
)
assert 'forgotpasswordRecordMissing' == err.value.value
def test_passwordInsecure_WeasylError_if_password_length_insufficient():
db_utils.create_user(email_addr=email_addr, username=user_name)
password = ''
form = Bag(email=email_addr,
username=user_name,
day=arrow.now().day,
month=arrow.now().month,
year=arrow.now().year,
token=token,
password=password,
passcheck=password)
# Considered insecure...
for i in range(0, login._PASSWORD):
with pytest.raises(WeasylError) as err:
resetpassword.reset(form)
assert 'passwordInsecure' == err.value.value
password += 'a'
form.password = password
form.passcheck = password
# Considered secure...
password += 'a'
form.password = password
form.passcheck = password
# Success at WeasylError/forgotpasswordRecordMissing; we didn't make one yet
with pytest.raises(WeasylError) as err:
resetpassword.reset(form)
assert 'forgotpasswordRecordMissing' == err.value.value
def test_emailIncorrect_WeasylError_if_email_address_doesnt_match_stored_email(
):
# Two parts: Set forgot password record; attempt reset with incorrect email
# Requirement: Get token set from request()
user_id = db_utils.create_user(email_addr=email_addr, username=user_name)
password = '******'
form_for_request = Bag(email=email_addr,
username=user_name,
day=arrow.now().day,
month=arrow.now().month,
year=arrow.now().year)
resetpassword.request(form_for_request)
pw_reset_token = d.engine.scalar(
"SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id)
# Force update link_time (required)
resetpassword.prepare(pw_reset_token)
email_addr_mismatch = "*****@*****.**"
form_for_reset = Bag(email=email_addr_mismatch,
username=user_name,
day=arrow.now().day,
month=arrow.now().month,
year=arrow.now().year,
token=pw_reset_token,
password=password,
passcheck=password)
with pytest.raises(WeasylError) as err:
resetpassword.reset(form_for_reset)
assert 'emailIncorrect' == err.value.value
def test_password_reset_fails_if_attempted_from_different_ip_address():
# Two parts: Set forgot password record; attempt reset with incorrect IP Address in forgotpassword table vs. requesting IP
# Requirement: Get token set from request()
user_id = db_utils.create_user(email_addr=email_addr, username=user_name)
password = '******'
form_for_request = Bag(email=email_addr,
username=user_name,
day=arrow.now().day,
month=arrow.now().month,
year=arrow.now().year)
resetpassword.request(form_for_request)
pw_reset_token = d.engine.scalar(
"SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id)
# Change IP detected when request was made (required for test)
d.engine.execute(
"UPDATE forgotpassword SET address = %(addr)s WHERE token = %(token)s",
addr="127.42.42.42",
token=pw_reset_token)
# Force update link_time (required)
resetpassword.prepare(pw_reset_token)
form_for_reset = Bag(email=email_addr,
username=user_name,
day=arrow.now().day,
month=arrow.now().month,
year=arrow.now().year,
token=pw_reset_token,
password=password,
passcheck=password)
with pytest.raises(WeasylError) as err:
resetpassword.reset(form_for_reset)
assert 'addressInvalid' == err.value.value
def test_verify_success_if_correct_information_supplied():
# Subtests:
# a) Verify 'authbcrypt' table has new hash
# b) Verify 'forgotpassword' row is removed.
# > Requirement: Get token set from request()
user_id = db_utils.create_user(email_addr=email_addr, username=user_name)
password = '******'
form_for_request = Bag(email=email_addr,
username=user_name,
day=arrow.now().day,
month=arrow.now().month,
year=arrow.now().year)
resetpassword.request(form_for_request)
pw_reset_token = d.engine.scalar(
"SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id)
# Force update link_time (required)
resetpassword.prepare(pw_reset_token)
form = Bag(email=email_addr,
username=user_name,
day=arrow.now().day,
month=arrow.now().month,
year=arrow.now().year,
token=pw_reset_token,
password=password,
passcheck=password)
resetpassword.reset(form)
# 'forgotpassword' row should not exist after a successful reset
row_does_not_exist = d.engine.execute(
"SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id)
assert row_does_not_exist.first() is None
bcrypt_hash = d.engine.scalar(
"SELECT hashsum FROM authbcrypt WHERE userid = %(id)s", id=user_id)
assert bcrypt.checkpw(password.encode('utf-8'),
bcrypt_hash.encode('utf-8'))
def POST(self):
form = web.input(token="", username="", email="", day="", month="", year="", password="", passcheck="")
resetpassword.reset(form)
return define.errorpage(
self.user_id,
"**Success!** Your password has been reset and you may now sign in to your account.",
[["Sign In", "/signin"], ["Return to the Home Page", "/index"]])
def resetpassword_post_(request):
form = request.web_input(token="", username="", email="", day="", month="", year="", password="", passcheck="")
resetpassword.reset(form)
return Response(define.errorpage(
request.userid,
"**Success!** Your password has been reset and you may now sign in to your account.",
[["Sign In", "/signin"], ["Return to the Home Page", "/"]]))
def test_passwordMismatch_WeasylError_if_supplied_passwords_dont_match():
db_utils.create_user(email_addr=email_addr, username=user_name)
form = Bag(email=email_addr, username=user_name, day=arrow.now().day,
month=arrow.now().month, year=arrow.now().year, token=token,
password='******', passcheck='asd')
with pytest.raises(WeasylError) as err:
resetpassword.reset(form)
assert 'passwordMismatch' == err.value.value
def test_forgotpasswordRecordMissing_WeasylError_if_reset_record_not_found():
db_utils.create_user(email_addr=email_addr, username=user_name)
password = '******'
form = Bag(email=email_addr, username=user_name, day=arrow.now().day,
month=arrow.now().month, year=arrow.now().year, token=token,
password=password, passcheck=password)
# Technically we did this in the above test, but for completeness, target it alone
with pytest.raises(WeasylError) as err:
resetpassword.reset(form)
assert 'forgotpasswordRecordMissing' == err.value.value
def test_passwordMismatch_WeasylError_if_supplied_passwords_dont_match():
user_id = db_utils.create_user(email_addr=email_addr, username=user_name)
with pytest.raises(WeasylError) as err:
resetpassword.reset(
token=token,
password='******',
passcheck='asd',
expect_userid=user_id,
address=None,
)
assert 'passwordMismatch' == err.value.value
def resetpassword_post_(request):
form = request.web_input(token="", username="", email="", day="", month="", year="", password="", passcheck="")
resetpassword.reset(form)
# Invalidate all other user sessions for this user.
profile.invalidate_other_sessions(request.userid)
return Response(define.errorpage(
request.userid,
"**Success!** Your password has been reset and you may now sign in to your account.",
[["Sign In", "/signin"], ["Return to the Home Page", "/"]]))
def test_forgotpasswordRecordMissing_WeasylError_if_reset_record_not_found():
user_id = db_utils.create_user(email_addr=email_addr, username=user_name)
password = '******'
# Technically we did this in the above test, but for completeness, target it alone
with pytest.raises(WeasylError) as err:
resetpassword.reset(
token=token,
password=password,
passcheck=password,
expect_userid=user_id,
address=None,
)
assert 'forgotpasswordRecordMissing' == err.value.value
def test_passwordMismatch_WeasylError_if_supplied_passwords_dont_match():
db_utils.create_user(email_addr=email_addr, username=user_name)
form = Bag(email=email_addr,
username=user_name,
day=arrow.now().day,
month=arrow.now().month,
year=arrow.now().year,
token=token,
password='******',
passcheck='asd')
with pytest.raises(WeasylError) as err:
resetpassword.reset(form)
assert 'passwordMismatch' == err.value.value
def test_forgotpasswordRecordMissing_WeasylError_if_reset_record_not_found():
db_utils.create_user(email_addr=email_addr, username=user_name)
password = '******'
form = Bag(email=email_addr,
username=user_name,
day=arrow.now().day,
month=arrow.now().month,
year=arrow.now().year,
token=token,
password=password,
passcheck=password)
# Technically we did this in the above test, but for completeness, target it alone
with pytest.raises(WeasylError) as err:
resetpassword.reset(form)
assert 'forgotpasswordRecordMissing' == err.value.value
def POST(self):
form = web.input(token="",
username="",
email="",
day="",
month="",
year="",
password="",
passcheck="")
resetpassword.reset(form)
return define.errorpage(
self.user_id,
"**Success!** Your password has been reset and you may now sign in to your account.",
[["Sign In", "/signin"], ["Return to the Home Page", "/index"]])
def test_emailIncorrect_WeasylError_if_username_doesnt_match_stored_username():
# Two parts: Set forgot password record; attempt reset with incorrect username
# Requirement: Get token set from request()
user_id = db_utils.create_user(email_addr=email_addr, username=user_name)
password = '******'
form_for_request = Bag(email=email_addr, username=user_name, day=arrow.now().day,
month=arrow.now().month, year=arrow.now().year)
resetpassword.request(form_for_request)
pw_reset_token = d.engine.scalar("SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id)
# Force update link_time (required)
resetpassword.prepare(pw_reset_token)
user_name_mismatch = "nottheaccountname123"
form_for_reset = Bag(email=email_addr, username=user_name_mismatch, day=arrow.now().day,
month=arrow.now().month, year=arrow.now().year, token=pw_reset_token,
password=password, passcheck=password)
with pytest.raises(WeasylError) as err:
resetpassword.reset(form_for_reset)
assert 'usernameIncorrect' == err.value.value
def resetpassword_post_(request):
expect_userid = int(request.POST['userid'])
resetpassword.reset(
token=request.POST['token'],
password=request.POST['password'],
passcheck=request.POST['passcheck'],
expect_userid=expect_userid,
address=request.client_addr,
)
# Invalidate user sessions for this user.
profile.invalidate_other_sessions(expect_userid)
return Response(define.errorpage(
request.userid,
"**Success!** Your password has been reset and you may now sign in to your account.",
[["Sign In", "/signin"], ["Return to the Home Page", "/"]]))
def test_password_reset_fails_if_attempted_from_different_ip_address():
# Two parts: Set forgot password record; attempt reset with incorrect IP Address in forgotpassword table vs. requesting IP
# Requirement: Get token set from request()
user_id = db_utils.create_user(email_addr=email_addr, username=user_name)
password = '******'
form_for_request = Bag(email=email_addr, username=user_name, day=arrow.now().day,
month=arrow.now().month, year=arrow.now().year)
resetpassword.request(form_for_request)
pw_reset_token = d.engine.scalar("SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id)
# Change IP detected when request was made (required for test)
d.engine.execute("UPDATE forgotpassword SET address = %(addr)s WHERE token = %(token)s",
addr="127.42.42.42", token=pw_reset_token)
# Force update link_time (required)
resetpassword.prepare(pw_reset_token)
form_for_reset = Bag(email=email_addr, username=user_name, day=arrow.now().day,
month=arrow.now().month, year=arrow.now().year, token=pw_reset_token,
password=password, passcheck=password)
with pytest.raises(WeasylError) as err:
resetpassword.reset(form_for_reset)
assert 'addressInvalid' == err.value.value
def test_passwordInsecure_WeasylError_if_password_length_insufficient():
db_utils.create_user(email_addr=email_addr, username=user_name)
password = ''
form = Bag(email=email_addr, username=user_name, day=arrow.now().day,
month=arrow.now().month, year=arrow.now().year, token=token,
password=password, passcheck=password)
# Considered insecure...
for i in range(0, login._PASSWORD):
with pytest.raises(WeasylError) as err:
resetpassword.reset(form)
assert 'passwordInsecure' == err.value.value
password += 'a'
form.password = password
form.passcheck = password
# Considered secure...
password += 'a'
form.password = password
form.passcheck = password
# Success at WeasylError/forgotpasswordRecordMissing; we didn't make one yet
with pytest.raises(WeasylError) as err:
resetpassword.reset(form)
assert 'forgotpasswordRecordMissing' == err.value.value
def test_verify_success_if_correct_information_supplied():
# Subtests:
# a) Verify 'authbcrypt' table has new hash
# b) Verify 'forgotpassword' row is removed.
# > Requirement: Get token set from request()
user_id = db_utils.create_user(email_addr=email_addr, username=user_name)
password = '******'
form_for_request = Bag(email=email_addr, username=user_name, day=arrow.now().day,
month=arrow.now().month, year=arrow.now().year)
resetpassword.request(form_for_request)
pw_reset_token = d.engine.scalar("SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id)
# Force update link_time (required)
resetpassword.prepare(pw_reset_token)
form = Bag(email=email_addr, username=user_name, day=arrow.now().day,
month=arrow.now().month, year=arrow.now().year, token=pw_reset_token,
password=password, passcheck=password)
resetpassword.reset(form)
# 'forgotpassword' row should not exist after a successful reset
row_does_not_exist = d.engine.execute("SELECT token FROM forgotpassword WHERE userid = %(id)s", id=user_id)
assert row_does_not_exist.first() is None
bcrypt_hash = d.engine.scalar("SELECT hashsum FROM authbcrypt WHERE userid = %(id)s", id=user_id)
assert bcrypt.checkpw(password.encode('utf-8'), bcrypt_hash.encode('utf-8'))
def test_verify_success_if_correct_information_supplied(captured_tokens):
# Subtests:
# a) Verify 'authbcrypt' table has new hash
# b) Verify 'forgotpassword' row is removed.
# > Requirement: Get token set from request()
user_id = db_utils.create_user(email_addr=email_addr, username=user_name)
password = '******'
resetpassword.request(email=email_addr)
pw_reset_token = captured_tokens[email_addr]
resetpassword.reset(
token=pw_reset_token,
password=password,
passcheck=password,
expect_userid=user_id,
address=None,
)
# 'forgotpassword' row should not exist after a successful reset
record_count = d.engine.scalar("SELECT count(*) FROM forgotpassword")
assert record_count == 0
bcrypt_hash = d.engine.scalar(
"SELECT hashsum FROM authbcrypt WHERE userid = %(id)s", id=user_id)
assert bcrypt.checkpw(password.encode('utf-8'),
bcrypt_hash.encode('utf-8'))
