Exemplo n.º 1
0
def test_climb_create_auth_limited(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, new_default_username, new_default_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    #request fails without jwt
    fail_response = test_client.post('/user/2/climbs')
    assert fail_response.status_code == 401
    assert b"Missing Authorization Header" in fail_response.data

    workouts_response = test_client.get('/user/2/workout/1', headers = jwt_header)
    assert workouts_response.status_code == 200
    num_climbs =  len(workouts_response.json['climbs'])

    success_response = test_client.post(
        '/user/2/climbs',
        headers = jwt_header,
        json = {
            "type": "boulder",
            "grade": 5,
            "user_id": 2,
            "workout_id": 1
        }
    )
    assert success_response.status_code == 200
    
    #check to see if it was added to workout
    workouts_response = test_client.get('/user/2/workout/1', headers = jwt_header)
    assert workouts_response.status_code == 200
    assert len(workouts_response.json['climbs']) == num_climbs + 1
Exemplo n.º 2
0
def test_workouts_read_belongs_only_to_user(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, snoopy_username, snoopy_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    fail_response = test_client.get('/user/2/workouts', headers = jwt_header)
    assert fail_response.status_code == 403
    assert b"Not Authorized" in fail_response.data
Exemplo n.º 3
0
def test_climb_update_auth_limited(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, new_default_username, new_default_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    #request fails without jwt
    fail_response = test_client.put('/user/2/climb/1')
    assert fail_response.status_code == 401
    assert b"Missing Authorization Header" in fail_response.data

    climb_response = test_client.get('user/2/climb/1', headers = jwt_header)
    assert climb_response.status_code == 200
    assert climb_response.json['grade'] == 6

    success_response = test_client.put(
        '/user/2/climb/1',
        headers = jwt_header,
        json = {
            "type": "boulder",
            "grade": 5,
            "user_id": 2,
            "workout_id": 1
        }
    )
    assert success_response.status_code == 200

    climb_response = test_client.get('user/2/climb/1', headers = jwt_header)
    assert climb_response.status_code == 200
    assert climb_response.json['grade'] == 5
Exemplo n.º 4
0
def test_climb_delete_user_cannot_delete_anothers_climb(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, snoopy_username, snoopy_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    fail_response = test_client.delete('/user/3/climb/1', headers = jwt_header)
    assert fail_response.status_code == 400
    assert b"There was a problem fetching the climb" in fail_response.data
Exemplo n.º 5
0
def test_user_update_auth_limited(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, default_username, default_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    #request fails without jwt
    fail_response = test_client.put('/user/1')
    assert fail_response.status_code == 401
    assert b"Missing Authorization Header" in fail_response.data

    #verify that record is unchanged before update call
    get_response = test_client.get('/user/1', headers = jwt_header)
    assert b"blah@gmail" in get_response.data

    success_response = test_client.put(
        '/user/1',
         json = {
             "email": "*****@*****.**"
         },
         headers = jwt_header
    )
    assert success_response.status_code == 200
    assert b"blah@gmail" not in success_response.data

    #verify that record is changed after update call
    get_response_post_update = test_client.get('/user/1', headers = jwt_header)
    body = json.loads(get_response_post_update.data)
    assert "*****@*****.**" == body['email']
Exemplo n.º 6
0
def test_workout_read_belongs_only_to_user(test_client, init_database):
    #make sure only the user that owns the workout can view it
    auth_response = test_util.get_auth_response(test_client, snoopy_username, snoopy_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    fail_response = test_client.get('/user/2/workout/1', headers = jwt_header)
    assert fail_response.status_code == 403
    assert b"Not Authorized" in fail_response.data
Exemplo n.º 7
0
def test_climb_delete_belongs_only_to_user(test_client, init_database):
    #make sure only the user that owns the climb can delete it
    auth_response = test_util.get_auth_response(test_client, snoopy_username, snoopy_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    #request fails without jwt
    fail_response = test_client.delete('/user/2/climb/1', headers=jwt_header)
    assert fail_response.status_code == 403
    assert b"Not Authorized" in fail_response.data
Exemplo n.º 8
0
def test_cannot_modify_jwt(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, malicious_username, malicious_password)
    data = json.loads(auth_response.data.decode('utf-8'))
    access_token = data['access_token']
    access_token = decode_token(access_token)
    access_token['identity']['id'] = 1 # an id that malicious wants to hack
    tampered_token = base64.b64encode(json.dumps(access_token).encode('utf-8'))
    jwt_header = test_util.create_jwt_header(json.dumps({'access_token': tampered_token.decode('utf-8')}).encode('utf-8'))

    #do something malicious shouldn't be able to do
    success_response = test_client.get('/user/1', headers = jwt_header)
    assert success_response.status_code != 200
Exemplo n.º 9
0
def test_climb_read_auth_limited(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, new_default_username, new_default_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    #request fails without jwt
    fail_response = test_client.get('/user/2/climb/1')
    assert fail_response.status_code == 401
    assert b"Missing Authorization Header" in fail_response.data

    #request succeeds with jwt
    success_response = test_client.get('/user/2/climb/1', headers = jwt_header)
    assert success_response.status_code == 200
Exemplo n.º 10
0
def test_user_read_auth_limited(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, default_username, default_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    #request fails without jwt
    fail_response = test_client.get('/user/1')
    assert fail_response.status_code == 401
    assert b"Request does not contain an access token" in fail_response.data

    #request succeeds with jwt
    success_response = test_client.get('/user/1', headers = jwt_header)
    assert success_response.status_code == 200
    assert b"blahblah" in success_response.data
    assert b"blah@gmail" in success_response.data
Exemplo n.º 11
0
def test_climb_update_user_cannot_update_anothers_climb(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, snoopy_username, snoopy_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    fail_response = test_client.put('/user/3/climb/1',
        headers = jwt_header,
        json = {
            "type": "boulder",
            "grade": 5,
            "user_id": 2,
            "workout_id": 1
        }
    )
    assert fail_response.status_code == 400
    assert b"There was an error updating the climb" in fail_response.data
Exemplo n.º 12
0
def test_climb_create_belongs_only_to_user(test_client, init_database):
    #make sure only the user that owns the climb can view it
    auth_response = test_util.get_auth_response(test_client, snoopy_username, snoopy_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    fail_response = test_client.post(
        '/user/2/climbs',
        headers = jwt_header,
        json = {
            "type": "boulder",
            "grade": 5,
            "user_id": 2,
            "workout_id": 1
        }
    )
    assert fail_response.status_code == 403
Exemplo n.º 13
0
def test_workout_read_auth_limited(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, new_default_username, new_default_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    #request fails without jwt
    fail_response = test_client.get('/user/2/workout/1')
    assert fail_response.status_code == 401
    assert b"Request does not contain an access token" in fail_response.data

    #request succeeds with jwt
    success_response = test_client.get('/user/2/workout/1', headers = jwt_header)
    assert success_response.status_code == 200

    #climb is in workout
    assert b"boulder" in success_response.data
    #user is in workout
    assert b"signup_date" in success_response.data
Exemplo n.º 14
0
def test_climb_delete_auth_limited(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, new_default_username, new_default_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    fail_response = test_client.delete('/user/3/climb/1')
    assert fail_response.status_code == 401

    workouts_response = test_client.get('/user/2/workout/1', headers = jwt_header)
    assert workouts_response.status_code == 200
    num_climbs =  len(workouts_response.json['climbs'])

    success_response = test_client.delete( '/user/2/climb/1', headers = jwt_header)
    assert success_response.status_code == 200
    
    #check to see if it was added to workout
    workouts_response = test_client.get('/user/2/workout/1', headers = jwt_header)
    assert workouts_response.status_code == 200
    assert len(workouts_response.json['climbs']) == num_climbs - 1
Exemplo n.º 15
0
def test_workout_update_user_cannot_update_anothers_workout(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, snoopy_username, snoopy_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    fail_response = test_client.get('/user/3/workout/1',
        headers = jwt_header,
        json = {
            'date': datetime.timestamp(datetime.now()),
            'climbs': [
                {'grade': 9, 'id': 3, 'letter_grade': None, 'type': 'boulder', 'user_id': 2, 'workout': 2},
                {'grade': 10, 'id': 4, 'letter_grade': None, 'type': 'boulder', 'user_id': 2, 'workout': 2},
                {'grade': 14, 'id': 5, 'letter_grade': None, 'type': 'boulder', 'user_id': 2, 'workout': 2},
                {'grade': 12, 'id': 6, 'letter_grade': 'a', 'type': 'route', 'user_id': 2, 'workout': 2},
                {'grade': 11, 'id': 7, 'letter_grade': 'a', 'type': 'route', 'user_id': 2, 'workout': 2}
            ]
        }
    )
    assert fail_response.status_code == 400
    assert b"There was a problem fetching the workout" in fail_response.data
Exemplo n.º 16
0
def test_user_delete_auth_limited(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, default_username, default_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

#   request fails without jwt
    fail_response = test_client.delete('/user/1')
    assert fail_response.status_code == 401
    assert b"Missing Authorization Header" in fail_response.data

    #assert user exists
    get_response = test_client.get('/user/1', headers = jwt_header)
    assert b"fancynewemail@gmail" in get_response.data

    #delete user
    success_response = test_client.delete('/user/1', headers = jwt_header)
    assert success_response.status_code == 200
    assert b"user_id" in success_response.data

    #assert user doesn't exist
    get_response_fail = test_client.get('/user/1', headers = jwt_header)
    assert get_response_fail.status_code == 400
Exemplo n.º 17
0
def test_workout_update_auth_limited(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, new_default_username, new_default_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    #request fails without jwt
    fail_response = test_client.put('/user/2/workout/1')
    assert fail_response.status_code == 401
    assert b"Missing Authorization Header" in fail_response.data

    success_response = test_client.get(
        '/user/2/workout/2',
        headers = jwt_header,
    )
    assert success_response.status_code == 200

    assert b"boulder" in success_response.data
    assert "14" not in success_response.json['climbs']

    #requests succeeds with jwt
    success_response = test_client.put(
        '/user/2/workout/2',
        headers = jwt_header,
        json = {
            'date': datetime.timestamp(datetime.now()),
            'climbs': [
                {'grade': 9, 'id': 3, 'letter_grade': None, 'type': 'boulder', 'user_id': 2, 'workout': 2},
                {'grade': 10, 'id': 4, 'letter_grade': None, 'type': 'boulder', 'user_id': 2, 'workout': 2},
                {'grade': 14, 'id': 5, 'letter_grade': None, 'type': 'boulder', 'user_id': 2, 'workout': 2},
                {'grade': 12, 'id': 6, 'letter_grade': 'a', 'type': 'route', 'user_id': 2, 'workout': 2},
                {'grade': 11, 'id': 7, 'letter_grade': 'a', 'type': 'route', 'user_id': 2, 'workout': 2}
            ],
            'notes': "This is the new note."
        }
    )
    assert success_response.status_code == 200
   
    assert b"climbs" in success_response.data
    assert success_response.json['climbs'][2]['grade'] == 14
    assert b"new note" in success_response.data
Exemplo n.º 18
0
def test_workout_delete_auth_limited(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, new_default_username, new_default_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    #request fails without jwt
    fail_response = test_client.delete('/user/2/workout/1')
    assert fail_response.status_code == 401
    assert b"Missing Authorization Header" in fail_response.data

    workouts_response = test_client.get('/user/2/workouts', headers = jwt_header)
    assert workouts_response.status_code == 200
    assert len(workouts_response.json['workouts']) == 2

    #requests succeeds with jwt
    success_response = test_client.delete(
        '/user/2/workout/2',
        headers = jwt_header,
    )
    assert success_response.status_code == 200

    workouts_response = test_client.get('/user/2/workouts', headers = jwt_header)
    assert workouts_response.status_code == 200
    assert len(workouts_response.json['workouts']) == 1
Exemplo n.º 19
0
def test_user_create(test_client, init_database):
    username = "******"
    password = "******"
    success_response = test_client.post(
        '/users',
        json = {
            "username": username,
            "email": "*****@*****.**",
            "password": password
        }
    )
    assert success_response.status_code == 200
    assert b"newuser" in success_response.data

    new_user_id = json.loads(success_response.data)['id']

    #verify that new user can access auth_limited endpoints
    auth_response = test_util.get_auth_response(test_client, username, password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    success_response = test_client.get('/user/{}'.format(new_user_id), headers = jwt_header)
    assert success_response.status_code == 200
    assert b"newuser" in success_response.data
Exemplo n.º 20
0
def test_workout_create_auth_limited(test_client, init_database):
    auth_response = test_util.get_auth_response(test_client, new_default_username, new_default_password)
    jwt_header = test_util.create_jwt_header(auth_response.data)

    #request fails without jwt
    fail_response = test_client.post('/user/2/workouts')
    assert fail_response.status_code == 401
    assert b"Missing Authorization Header" in fail_response.data

    #requests succeeds with jwt
    success_response = test_client.post(
        '/user/2/workouts',
        headers = jwt_header,
        json = {
            "date": 1578702677,
            "boulders": [9, 10, 11],
            "routes": ['12a', '11a'],
            "notes": "That crimpy 12 was hard!"
        }
    )
    assert success_response.status_code == 200
    assert b"10" in success_response.data
    assert b"crimpy" in success_response.data
Exemplo n.º 21
0
def test_auth_401_user_dne(test_client, init_database):
    #user does not exist!
    response = test_util.get_auth_response(test_client, 'wahwah', default_password)
    assert response.status_code == 401
    assert b"Invalid credentials" in response.data
Exemplo n.º 22
0
def test_login_401_user_dne(test_client, init_database):
    #user does not exist!
    response = test_util.get_auth_response(test_client, 'wahwah', default_password)
    assert response.status_code == 401
    assert b"Bad username or password" in response.data
Exemplo n.º 23
0
def test_login_401_incorrect_password(test_client, init_database):
    response = test_util.get_auth_response(test_client, default_username, 'cawcaw')
    assert response.status_code == 401
    assert b"Bad username or password" in response.data
Exemplo n.º 24
0
def test_login_200_returns_jwt(test_client, init_database):
    response = test_util.get_auth_response(test_client, default_username, default_password)
    assert response.status_code == 200
    assert b"access_token" in response.data
Exemplo n.º 25
0
def test_auth_401_incorrect_password(test_client, init_database):
    response = test_util.get_auth_response(test_client, default_username, 'cawcaw')
    assert response.status_code == 401
    assert b"Invalid credentials" in response.data