def setUp(self):
self._password = faker.password()
self._user = BaseUserFactory()
self._user.set_password(self._password)
self._user.is_active = True
self._user.save()
self._init_secret_key = self._user.secret_key
def setUp(self):
self._username = faker.user_name()
self._password = faker.password()
self._user = BaseUserFactory(username=self._username)
self._user.set_password(self._password)
self._user.is_active = True
self._user.save()
self._url_login = reverse('api:auth:login')
class LogoutTests(TestCase):
def setUp(self):
self.user = BaseUserFactory()
def test_logout_rotates_user_secret_key(self):
key_before = self.user.secret_key
logout(user=self.user)
self.user.refresh_from_db()
self.assertNotEqual(key_before, self.user.secret_key)
def setUp(self):
self._username = faker.user_name()
self._password = faker.password()
self._user = BaseUserFactory(username=self._username)
self._user.set_password(self._password)
self._user.is_active = True
self._user.save()
self._url_login = reverse('api:auth:login')
self._url_logout = reverse('api:auth:logout')
self._url_change_password = reverse('api:auth:change-password')
self._data = {'username': self._username, 'password': self._password}
def setUp(self):
self._username = faker.user_name()
self._password = faker.password()
self._user = BaseUserFactory(username=self._username)
self._user.set_password(self._password)
self._user.is_active = True
self._user.save()
self._init_secret_key = self._user.secret_key
self._url_login = reverse('api:auth:login')
self._url_logout = reverse('api:auth:logout')
self._url_user_detail_url = reverse('api:auth:user-detail')
self._data = {'username': self._username, 'password': self._password}
class TestChangeUserPassword(TestCase):
def setUp(self):
self._password = faker.password()
self._user = BaseUserFactory()
self._user.set_password(self._password)
self._user.is_active = True
self._user.save()
self._init_secret_key = self._user.secret_key
def test_user_cannot_change_password_with_wrong_old_password(self):
with self.assertRaises(ValidationError):
change_user_password(user=self._user,
old_password=faker.password(),
new_password=faker.password())
def test_user_cannot_change_password_with_empty_old_password(self):
with self.assertRaises(ValidationError):
change_user_password(user=self._user,
old_password='',
new_password=faker.password())
def test_user_cannot_change_password_with_empty_new_password(self):
with self.assertRaises(ValidationError):
change_user_password(user=self._user,
old_password=self._password,
new_password='')
def test_user_cannot_change_password_if_account_is_inactive(self):
self._user.is_active = False
self._user.save()
with self.assertRaises(ValidationError):
change_user_password(user=self._user,
old_password=self._password,
new_password=faker.password())
def test_user_can_change_password_with_valid_old_and_new_password_when_active(
self):
new_password = faker.password()
change_user_password(
user=self._user,
old_password=self._password,
new_password=new_password,
)
self._user.refresh_from_db()
self.assertNotEqual(self._init_secret_key, self._user.secret_key)
self.assertTrue(self._user.check_password(new_password))
class TestLogin(APITestCase):
def setUp(self):
self._username = faker.user_name()
self._password = faker.password()
self._user = BaseUserFactory(username=self._username)
self._user.set_password(self._password)
self._user.is_active = True
self._user.save()
self._url_login = reverse('api:auth:login')
def test_user_login_success(self):
data = {
'username': self._username,
'password': self._password
}
res = self.client.post(self._url_login, data=data)
self.assertEqual(res.status_code, status.HTTP_200_OK)
def test_user_login_wrong_username(self):
data = {
'username': faker.user_name,
'password': self._password
}
res = self.client.post(self._url_login, data=data)
self.assertEqual(res.status_code, status.HTTP_400_BAD_REQUEST)
def test_user_login_wrong_password(self):
data = {
'username': self._username,
'password': faker.password()
}
res = self.client.post(self._url_login, data=data)
self.assertEqual(res.status_code, status.HTTP_400_BAD_REQUEST)
def test_user_login_inactive(self):
self._user.is_active = False
self._user.save()
data = {
'username': self._username,
'password': self._password
}
res = self.client.post(self._url_login, data=data)
self.assertEqual(res.status_code, status.HTTP_400_BAD_REQUEST)
def test_user_can_decode_only_own_tokens(self):
response1 = self.client.post(self._url_login, data=self._data)
user = BaseUserFactory()
user.is_active = True
password = faker.password()
user.set_password(password)
user.save()
data = {
'username': user.username,
'password': password,
}
response2 = self.client.post(self._url_login, data=data)
token_user1 = response1.data['token']
token_user2 = response2.data['token']
self.assertNotEqual(token_user1, token_user2)
self.assertNotEqual(self._user.secret_key, user.secret_key)
with self.assertRaises(InvalidSignatureError):
jwt.decode(token_user1, key=str(user.secret_key))
with self.assertRaises(InvalidSignatureError):
jwt.decode(token_user2, key=str(self._user.secret_key))
self.assertEqual(
self._user.username,
jwt.decode(token_user1,
key=str(self._user.secret_key))['username'])
self.assertEqual(
user.username,
jwt.decode(token_user2, key=str(user.secret_key))['username'])
class TestLogout(APITestCase):
def setUp(self):
self._username = faker.user_name()
self._password = faker.password()
self._user = BaseUserFactory(username=self._username)
self._user.set_password(self._password)
self._user.is_active = True
self._user.save()
self._url_login = reverse('api:auth:login')
self._url_logout = reverse('api:auth:logout')
self._data = {
'username': self._username,
'password': self._password
}
def test_logout_with_valid_token(self):
res_login = self.client.post(self._url_login, data=self._data)
token = res_login.data['token']
self.client.credentials(
HTTP_AUTHORIZATION='{0:s} {1:s}'.format(api_settings.JWT_AUTH_HEADER_PREFIX, token)
)
res_logout = self.client.post(self._url_logout)
self.assertEqual(res_logout.status_code, status.HTTP_202_ACCEPTED)
def test_logout_with_invalid_token(self):
res_login = self.client.post(self._url_login, data=self._data)
token = res_login.data['token']
self._user.rotate_secret_key()
self.client.credentials(
HTTP_AUTHORIZATION='{0:s} {1:s}'.format(api_settings.JWT_AUTH_HEADER_PREFIX, token)
)
res_logout = self.client.post(self._url_logout)
self.assertEqual(res_logout.status_code, status.HTTP_401_UNAUTHORIZED)
def setUp(self):
self.user = BaseUserFactory()
class TestChangePassword(APITestCase):
def setUp(self):
self._username = faker.user_name()
self._password = faker.password()
self._user = BaseUserFactory(username=self._username)
self._user.set_password(self._password)
self._user.is_active = True
self._user.save()
self._url_login = reverse('api:auth:login')
self._url_logout = reverse('api:auth:logout')
self._url_change_password = reverse('api:auth:change-password')
self._data = {'username': self._username, 'password': self._password}
@patch('apps.authentication.apis.get_user_data')
def test_logged_out_user_cannot_change_password(self, mock_object):
mock_object.return_value = {}
self._user.is_active = True
self._user.save()
# this should perform login
res_login = self.client.post(self._url_login, data=self._data)
token = res_login.data['token']
# perform logout
self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
api_settings.JWT_AUTH_HEADER_PREFIX, token))
self.client.post(self._url_logout)
data = {
"old_password": self._password,
"new_password": faker.password(),
}
# this should perform change password
res_change_pass = self.client.post(self._url_change_password,
data=data)
self.assertEqual(res_change_pass.status_code, 401)
@patch('apps.authentication.apis.get_user_data')
def test_inactive_user_cannot_change_password(self, mock_object):
mock_object.return_value = {}
self._user.is_active = True
self._user.save()
# this should perform login
res_login = self.client.post(self._url_login, data=self._data)
token = res_login.data['token']
self._user.is_active = False
self._user.save()
data = {
'old_password': self._password,
'new_password': faker.password(),
}
# this should perform change password
self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
api_settings.JWT_AUTH_HEADER_PREFIX, token))
change_password_response = self.client.post(
self._url_change_password,
data=data,
)
self.assertEqual(change_password_response.status_code, 401)
@patch('apps.authentication.apis.get_user_data')
def test_user_cannot_change_password_with_invalid_token(self, mock_object):
mock_object.return_value = {}
self._user.is_active = True
self._user.save()
# this should perform login
res_login = self.client.post(self._url_login, data=self._data)
token = res_login.data['token']
self._user.rotate_secret_key()
data = {
'old_password': self._password,
'new_password': faker.password(),
}
# this should perform change password
self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
api_settings.JWT_AUTH_HEADER_PREFIX, token))
change_password_response = self.client.post(
self._url_change_password,
data=data,
)
self.assertEqual(change_password_response.status_code, 401)
@patch('apps.authentication.apis.get_user_data')
def test_user_cannot_change_password_with_wrong_old_password(
self, mock_object):
mock_object.return_value = {}
self._user.is_active = True
self._user.save()
# this should perform login
res_login = self.client.post(self._url_login, data=self._data)
token = res_login.data['token']
data = {
"old_password": faker.password(),
"new_password": faker.password(),
}
# this should perform change password
self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
api_settings.JWT_AUTH_HEADER_PREFIX, token))
change_password_response = self.client.post(
self._url_change_password,
data=data,
)
self.assertEqual(change_password_response.status_code, 400)
@patch('apps.authentication.apis.change_user_password')
@patch('apps.authentication.apis.get_user_data')
def test_active_user_can_change_password_with_valid_token(
self, mock1, mock2):
mock1.return_value = {}
self._user.is_active = True
self._user.save()
# this should perform login
login_response = self.client.post(self._url_login, data=self._data)
token = login_response.data['token']
data = {
"old_password": self._password,
"new_password": faker.password(),
}
# this should perform change password
self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
api_settings.JWT_AUTH_HEADER_PREFIX, token))
change_password_response = self.client.post(
self._url_change_password,
data=data,
)
self.assertTrue(mock2.called)
self.assertEqual(change_password_response.status_code, 202)
class TestJwtAuthorization(APITestCase):
def setUp(self):
self._username = faker.user_name()
self._password = faker.password()
self._user = BaseUserFactory(username=self._username)
self._user.set_password(self._password)
self._user.is_active = True
self._user.save()
self._init_secret_key = self._user.secret_key
self._url_login = reverse('api:auth:login')
self._url_logout = reverse('api:auth:logout')
self._url_user_detail_url = reverse('api:auth:user-detail')
self._data = {'username': self._username, 'password': self._password}
def test_user_can_decode_only_own_tokens(self):
response1 = self.client.post(self._url_login, data=self._data)
user = BaseUserFactory()
user.is_active = True
password = faker.password()
user.set_password(password)
user.save()
data = {
'username': user.username,
'password': password,
}
response2 = self.client.post(self._url_login, data=data)
token_user1 = response1.data['token']
token_user2 = response2.data['token']
self.assertNotEqual(token_user1, token_user2)
self.assertNotEqual(self._user.secret_key, user.secret_key)
with self.assertRaises(InvalidSignatureError):
jwt.decode(token_user1, key=str(user.secret_key))
with self.assertRaises(InvalidSignatureError):
jwt.decode(token_user2, key=str(self._user.secret_key))
self.assertEqual(
self._user.username,
jwt.decode(token_user1,
key=str(self._user.secret_key))['username'])
self.assertEqual(
user.username,
jwt.decode(token_user2, key=str(user.secret_key))['username'])
def test_user_access_denied_without_login(self):
res = self.client.get(self._url_user_detail_url)
self.assertEqual(res.status_code, status.HTTP_401_UNAUTHORIZED)
def test_user_can_access_urls_with_token_only_after_login(self):
res = self.client.post(self._url_login, data=self._data)
token = res.data['token']
self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
api_settings.JWT_AUTH_HEADER_PREFIX, token))
res = self.client.get(self._url_user_detail_url)
self.assertEqual(res.status_code, status.HTTP_200_OK)
self.assertEqual(res.data['username'], self._user.username)
def test_user_cannot_use_old_token_after_logout(self):
res = self.client.post(self._url_login, data=self._data)
token = res.data['token']
# performs logout with jwt
self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
api_settings.JWT_AUTH_HEADER_PREFIX, token))
self.client.post(self._url_logout)
response = self.client.get(self._url_user_detail_url)
self.assertEqual(response.status_code, 401)
def test_user_gets_new_user_secret_key_after_logout(self):
res = self.client.post(self._url_login, data=self._data)
token = res.data['token']
# performs logout with jwt
self.client.credentials(HTTP_AUTHORIZATION='{0:s} {1:s}'.format(
api_settings.JWT_AUTH_HEADER_PREFIX, token))
self.client.post(self._url_logout)
self._user.refresh_from_db()
self.assertNotEqual(self._init_secret_key, self._user.secret_key)