def test_invalid_token(app, client):
with app.app_context():
user = User(username="******", email="*****@*****.**", password="******")
db.session.add(user)
access_token = "asdfasdfasfd"
refresh_token = RefreshToken(token=str(uuid4()),
user_id=user.username,
mapped_token=access_token,
expires_at=datetime.utcnow() -
timedelta(seconds=60))
db.session.add(refresh_token)
db.session.commit()
refresh_token = refresh_token.token
csrf_token = generate_csrf_token()
client.set_cookie("localhost", "x-csrf-token", csrf_token, httponly=True)
client.set_cookie("localhost", "access_token", access_token, httponly=True)
client.set_cookie("localhost",
"refresh_token",
refresh_token,
httponly=True)
response = client.post("/token/refresh_access_token",
headers={"x-csrf-token": csrf_token})
assert response.status_code == 401
assert response.get_json()["message"] == "invalid token provided"
with app.app_context():
refresh_token = RefreshToken.first(token=refresh_token)
refresh_token.expires_at = datetime.utcnow() + timedelta(days=7)
db.session.commit()
refresh_token = refresh_token.token
csrf_token = generate_csrf_token()
client.set_cookie("localhost", "x-csrf-token", csrf_token, httponly=True)
client.set_cookie("localhost", "access_token", access_token, httponly=True)
client.set_cookie("localhost",
"refresh_token",
refresh_token,
httponly=True)
response = client.post("/token/refresh_access_token",
headers={"x-csrf-token": csrf_token})
assert response.status_code == 401
assert response.get_json()["message"] == "compromised tokens"
def test_logout(app, client):
with app.app_context():
user = User(username="******", email="*****@*****.**", password="******")
db.session.add(user)
db.session.commit()
response = client.post("/auth/login",
data={
"id": "test",
"password": "******"
})
csrf_token = generate_csrf_token()
access_token = get_cookie(response, "access_token")
refresh_token = get_cookie(response, "refresh_token")
client.set_cookie("localhost", "x-csrf-token", csrf_token, httponly=True)
client.set_cookie("localhost", "access_token", access_token, httponly=True)
client.set_cookie("localhost",
"refresh_token",
refresh_token,
httponly=True)
response = client.post("/auth/logout",
headers={"x-csrf-token": csrf_token})
assert response.status_code == 200
assert not get_cookie(response, "access_token")
assert not get_cookie(response, "refresh_token")
assert not get_cookie(response, "x-csrf-token")
def test_revoked_refresh_token(app, client):
with app.app_context():
user = User(username="******", email="*****@*****.**", password="******")
db.session.add(user)
access_token = encode_jwt(app.config["JWT_SECRET"],
app.config["JWT_ALGORITHM"],
timedelta(seconds=-60),
{"user_id": user.username})
refresh_token = RefreshToken(token=str(uuid4()),
user_id=user.username,
mapped_token=access_token,
revoked=True)
db.session.add(refresh_token)
db.session.commit()
refresh_token = refresh_token.token
client.set_cookie("localhost", "access_token", access_token, httponly=True)
client.set_cookie("localhost",
"refresh_token",
refresh_token,
httponly=True)
csrf_token = generate_csrf_token()
client.set_cookie("localhost", "x-csrf-token", csrf_token, httponly=True)
response = client.post("/token/refresh_access_token",
headers={"x-csrf-token": csrf_token})
assert response.status_code == 401
assert response.get_json()["message"] == "compromised tokens"