def test_invalid_token(app, client): with app.app_context(): user = User(username="******", email="*****@*****.**", password="******") db.session.add(user) access_token = "asdfasdfasfd" refresh_token = RefreshToken(token=str(uuid4()), user_id=user.username, mapped_token=access_token, expires_at=datetime.utcnow() - timedelta(seconds=60)) db.session.add(refresh_token) db.session.commit() refresh_token = refresh_token.token csrf_token = generate_csrf_token() client.set_cookie("localhost", "x-csrf-token", csrf_token, httponly=True) client.set_cookie("localhost", "access_token", access_token, httponly=True) client.set_cookie("localhost", "refresh_token", refresh_token, httponly=True) response = client.post("/token/refresh_access_token", headers={"x-csrf-token": csrf_token}) assert response.status_code == 401 assert response.get_json()["message"] == "invalid token provided" with app.app_context(): refresh_token = RefreshToken.first(token=refresh_token) refresh_token.expires_at = datetime.utcnow() + timedelta(days=7) db.session.commit() refresh_token = refresh_token.token csrf_token = generate_csrf_token() client.set_cookie("localhost", "x-csrf-token", csrf_token, httponly=True) client.set_cookie("localhost", "access_token", access_token, httponly=True) client.set_cookie("localhost", "refresh_token", refresh_token, httponly=True) response = client.post("/token/refresh_access_token", headers={"x-csrf-token": csrf_token}) assert response.status_code == 401 assert response.get_json()["message"] == "compromised tokens"
def test_logout(app, client): with app.app_context(): user = User(username="******", email="*****@*****.**", password="******") db.session.add(user) db.session.commit() response = client.post("/auth/login", data={ "id": "test", "password": "******" }) csrf_token = generate_csrf_token() access_token = get_cookie(response, "access_token") refresh_token = get_cookie(response, "refresh_token") client.set_cookie("localhost", "x-csrf-token", csrf_token, httponly=True) client.set_cookie("localhost", "access_token", access_token, httponly=True) client.set_cookie("localhost", "refresh_token", refresh_token, httponly=True) response = client.post("/auth/logout", headers={"x-csrf-token": csrf_token}) assert response.status_code == 200 assert not get_cookie(response, "access_token") assert not get_cookie(response, "refresh_token") assert not get_cookie(response, "x-csrf-token")
def test_revoked_refresh_token(app, client): with app.app_context(): user = User(username="******", email="*****@*****.**", password="******") db.session.add(user) access_token = encode_jwt(app.config["JWT_SECRET"], app.config["JWT_ALGORITHM"], timedelta(seconds=-60), {"user_id": user.username}) refresh_token = RefreshToken(token=str(uuid4()), user_id=user.username, mapped_token=access_token, revoked=True) db.session.add(refresh_token) db.session.commit() refresh_token = refresh_token.token client.set_cookie("localhost", "access_token", access_token, httponly=True) client.set_cookie("localhost", "refresh_token", refresh_token, httponly=True) csrf_token = generate_csrf_token() client.set_cookie("localhost", "x-csrf-token", csrf_token, httponly=True) response = client.post("/token/refresh_access_token", headers={"x-csrf-token": csrf_token}) assert response.status_code == 401 assert response.get_json()["message"] == "compromised tokens"