Exemplo n.º 1
0
class AuthResource(object):
    def __init__(self):
        self.database = Database()
        self.logger = logging.getLogger("AuthResource")

    def on_post(self, req, resp):
        raw_json = req.context['doc']
        AUTH_SCHEMA.validate(raw_json)
        username, password = raw_json.get("username"), raw_json.get("password")
        if self.is_valid_login(username, password):
            self.logger.info("Successful login by user %s" % username)
            resp.body = self.create_auth_doc(username)
            resp.body["token"] = resp.body["_id"]
        else:
            self.logger.warning("Failed login for user %s" % username)
            raise falcon.HTTPUnauthorized("Invalid credentails",
                "Failed to authenticate due to invalid username or password")

    def is_valid_login(self, username, password):
        user = self.database.get_doc(DB_USER, username, default=None)
        if user is None:
            return False
        hashed_password = hash(password, user[make_private("password_salt")])
        return user[make_private("encrypted_password")] == hashed_password

    def create_auth_doc(self, username):
        self.logger.info("Creating auth doc for user %s" % username)
        doc = {
            "_id": generate_auth_token(),
            "username": username,
            "expires": datetime.datetime.now() + CONFIG["auth"]["expiry"]
            }
        return self.database.save_doc(DB_AUTH, doc)
Exemplo n.º 2
0
class TestSignupAuth(unittest.TestCase):

    URL = CONFIG["test"]["url"]
    SIGNUP_URL = urljoin(URL, "users")
    AUTH_URL = urljoin(URL, "auth")
    DB_USER = CONFIG["databases"]["user"]

    def setUp(self):
        self.db = Database()
        self.usernames = []

    def tearDown(self):
        for user in self.usernames:
            delete_user(self.db, user)

    def get_email_address(self):
        return "*****@*****.**"

    def get_username(self):
        username = ''.join([random.choice(string.ascii_letters) for i in range(20)])
        self.usernames.append(username)
        return username

    def get_password(self):
        return "123456"

    def generate_user(self):
        return {
            "username": self.get_username(),
            "password": self.get_password(),
            "email": self.get_email_address()
            }

    def create_user(self):
        user = self.generate_user()
        payload = {"data": user}
        resp = requests.request("POST", self.SIGNUP_URL, json=payload)
        self.assertEqual(resp.status_code, 200)
        return user

    def test_user_doc(self):
        user = self.create_user()

        user_doc = self.db.get_doc(self.DB_USER, user["username"])
        self.assertEqual(user_doc.get("password"), None)
        self.assertEqual(user_doc.get("email"), user.get("email"))

    def test_private_password(self):
        user = self.generate_user()
        payload = {"data": user}
        resp = requests.request("POST", self.SIGNUP_URL, json=payload)
        self.assertEqual(resp.status_code, 200)
        for i in resp.json()["data"].keys():
            self.assertNotIn("password", i)


    def test_signup_twice(self):
        payload = {"data": self.create_user()}
        resp = requests.request("POST", self.SIGNUP_URL, json=payload)
        self.assertEqual(resp.status_code, 400)

    def auth_request(self, username, password):
        payload = {"data": {
                "username": username,
                "password": password
                }
            }
        return requests.request("POST", self.AUTH_URL, json=payload)

    def test_signup_and_valid_auth(self):
        user = self.create_user()
        resp = self.auth_request(user["username"], user["password"])
        self.assertEqual(resp.status_code, 200)
        self.assertIn("token", resp.json()["data"])

    def test_signup_and_invalid_auth(self):
        user = self.create_user()

        # Test invalid password
        resp = self.auth_request(user["username"], user["password"] + "123")
        self.assertEqual(resp.status_code, 401)

        # Test invalid username
        resp2 = self.auth_request(user["username"] + "123", user["password"] + "123")
        self.assertEqual(resp2.status_code, 401)