def test_login_with_2fa_enabled(test_client, init_database): sign_in(test_client, "dave", "wselfknskjdksdaiujlj") otp_token = enable_user_2fa(test_client) delete_session_cookie(test_client) sign_in(test_client, "dave", "wselfknskjdksdaiujlj") assert (b"Please log in to access this page." in test_client.get("/settings", follow_redirects=True).data) otp_code = pyotp.TOTP(otp_token).now() twofa_response = send_otp_code(test_client, otp_code) assert b"Hello, dave" in twofa_response.data delete_session_cookie(test_client) old_otp_code = generate_otp_token_at(otp_token, 71) login_send_old_otp_code_response = send_otp_code(test_client, old_otp_code) assert b"Hello, dave" not in login_send_old_otp_code_response.data delete_session_cookie(test_client) previous_last_otp_code = generate_otp_token_at(otp_token, 37) login_send_previous_last_otp_code_response = send_otp_code( test_client, previous_last_otp_code) # assert b"Hello, dave" in login_send_previous_last_otp_code_response.data # The above and below assert result is dependent from test run time delete_session_cookie(test_client) future_otp_code = pyotp.TOTP(otp_token).at(datetime.now() + timedelta(seconds=23)) login_send_future_otp_code_response = send_otp_code( test_client, future_otp_code)
def test_remember_me_with_2fa_enabled(test_client, init_database): sign_in(test_client, "dave", "wselfknskjdksdaiujlj") otp_token = enable_user_2fa(test_client) delete_session_cookie(test_client) sign_in_remember(test_client, "dave", "wselfknskjdksdaiujlj") otp_code = pyotp.TOTP(otp_token).now() send_otp_code(test_client, otp_code) delete_session_cookie(test_client) index_response = test_client.get("/") assert b"Hello, dave" in index_response.data
def test_disable_2fa_fresh_session(test_client, init_database): sign_in(test_client, "dave", "wselfknskjdksdaiujlj") otp_token = enable_user_2fa(test_client) delete_session_cookie(test_client) sign_in(test_client, "dave", "wselfknskjdksdaiujlj") otp_code = pyotp.TOTP(otp_token).now() send_otp_code(test_client, otp_code) index_response = test_client.get("/") assert b"Hello, dave" in index_response.data response = deactivate_2fa(test_client) assert b"Deactivated 2FA" in response.data
def test_webauthn_register_new_key(test_client, init_database): sign_in_response = sign_in(test_client, "dave", "wselfknskjdksdaiujlj") device = SoftWebauthnDevice() begin_register_response = test_client.post("/webauthn/register/begin", data=json.dumps( {"resident": False})) pkcco = cbor.decode(begin_register_response.data) attestation = device.create(pkcco, f"https://{TestConfig.RP_ID}") attestation_data = cbor.encode({ "clientDataJSON": attestation["response"]["clientDataJSON"], "attestationObject": attestation["response"]["attestationObject"], }) raw_response = test_client.post( "/webauthn/register/complete", input_stream=BytesIO(attestation_data), content_type="application/cbor", ) registration_response = cbor.decode(raw_response.data) assert registration_response == {"status": "OK"} user = User.query.filter_by(username="******").first() webauthn = Webauthn.query.filter_by(user_id=user.did).first() assert webauthn assert webauthn.number == 1 assert webauthn.is_enabled is False
def test_webauthn_delete_key(test_client, init_database): sign_in_response = sign_in(test_client, "oliver", "2398wqshjduiwd8932") user = User.query.filter_by(username="******").first() key = ( Key.query.filter_by(user_id=user.did).filter_by( credential_id="notrealbutnecessarytodelete".encode() ) ).first() assert key is not None delete_key_response = delete_key( test_client, data={ "credential_id": binascii.b2a_hex(key.credential_id), "key_name": "MyKey with spaces", }, ) key = ( Key.query.filter_by(user_id=user.did) .filter_by( credential_id=binascii.b2a_hex(b"notrealbutnecessarytodelete") ) .first() ) assert key is None
def test_disable_2fa_non_fresh_session(test_client, init_database): sign_in(test_client, "dave", "wselfknskjdksdaiujlj") otp_token = enable_user_2fa(test_client) delete_session_cookie(test_client) sign_in_remember(test_client, "dave", "wselfknskjdksdaiujlj") otp_code = pyotp.TOTP(otp_token).now() send_otp_code(test_client, otp_code) delete_session_cookie(test_client) index_response = test_client.get("/") assert b"Hello, dave" in index_response.data deactivate_2fa_first_response = deactivate_2fa(test_client) assert ( b"To protect your account, please reauthenticate to access this page." in deactivate_2fa_first_response.data) refresh_session(test_client, "wselfknskjdksdaiujlj") deactivate_2fa_second_response = deactivate_2fa(test_client) assert b"Deactivated 2FA" in deactivate_2fa_second_response.data
def test_login_without_2fa(test_client, init_database): login_response = sign_in( test_client, "non_existing_user_hasjdbhjbsdjmhd", "doisajcklanms632dxmsandu5r4iwe", ) assert (b"Hello, non_existing_user_hasjdbhjbsdjmhd" not in login_response.data)
def test_webauthn_activate_not_enough_keys(test_client, init_database): delete_session_cookie(test_client) sign_in_response = sign_in(test_client, "thomas", "qghjoiwjiklwek") activate_webautn_response = activate_webauthn(test_client) assert b"register" in activate_webautn_response.data user = User.query.filter_by(username="******").first() webauthn = Webauthn.query.filter_by(user_id=user.did).first() assert webauthn.is_enabled is False
def test_bruteforce_otp_code(test_client, init_database): sign_in(test_client, "dave", "wselfknskjdksdaiujlj") otp_token = enable_user_2fa(test_client) delete_session_cookie(test_client) sign_in(test_client, "dave", "wselfknskjdksdaiujlj") for _ in range(3): response = send_otp_code(test_client, "invalid") assert response.status_code == 200 for _ in range(5): response = send_otp_code(test_client, "invalid") assert response.status_code == 401 otp_code = pyotp.TOTP(otp_token).now() valid_otp_code_response = send_otp_code(test_client, otp_code) assert valid_otp_code_response.status_code == 401 index_response = test_client.get("/", follow_redirects=True) assert b"Hello, dave" not in index_response.data
def test_webauthn_activate_enough_keys(test_client, init_database): delete_session_cookie(test_client) sign_in_response = sign_in(test_client, "anna", "ukehjwqbjhwqkbejw") activate_webautn_response = activate_webauthn(test_client) assert b"Enabled" in activate_webautn_response.data user = User.query.filter_by(username="******").first() webauthn = Webauthn.query.filter_by(user_id=user.did).first() assert webauthn.is_enabled is True
def test_register_and_login(test_client, init_database): register_response = register( test_client, "bob", "*****@*****.**", "bob_roccat867", "bob_roccat867", ) assert (b"Congratulations, you are now a registered user!" in register_response.data) sign_in_response = sign_in(test_client, "bob", "bob_roccat867") assert b"Hello, bob" in sign_in_response.data assert b"Invalid username or password" not in sign_in_response.data
def test_webauthn_deactivate(test_client, init_database): sign_in_response = sign_in(test_client, "oliver", "2398wqshjduiwd8932") user = User.query.filter_by(username="******").first() webauthn = Webauthn.query.filter_by(user_id=user.did).first() webauthn.is_enabled = True init_database.session.add(webauthn) init_database.session.commit() got_webauthn = Webauthn.query.filter_by(user_id=user.did).first() assert got_webauthn.is_enabled is True deactivate_webautn_response = deactivate_webauthn(test_client) assert b"Deactivated" in deactivate_webautn_response.data webauthn = Webauthn.query.filter_by(user_id=user.did).first() assert webauthn.is_enabled is False
def test_webauthn_authenticate(test_client, init_database): sign_in_response = sign_in(test_client, "jennie", "9df1c362e4df3e51edd1acde9") device = SoftWebauthnDevice() user = User.query.filter_by(username="******").first() webauthn = Webauthn.query.filter_by(user_id=user.did).first() user_handle = webauthn.user_identifier device.cred_init(TestConfig.RP_ID, user_handle) device.private_key = KeyList.priv_one user5_first_security_key_public_key = ES256.from_cryptography_key( device.private_key.public_key()) key = (Key.query.filter_by(user_id=user.did).filter_by( public_key=cbor.encode(user5_first_security_key_public_key)).first()) device.credential_id = key.credential_id pkcro = cbor.decode(test_client.post("/webauthn/authenticate/begin").data) assertion = device.get(pkcro, f"https://{TestConfig.RP_ID}") assertion_data = cbor.encode({ "credentialId": assertion["rawId"], "clientDataJSON": assertion["response"]["clientDataJSON"], "authenticatorData": assertion["response"]["authenticatorData"], "signature": assertion["response"]["signature"], "userHandle": assertion["response"]["userHandle"], }) raw_response = test_client.post( "/webauthn/authenticate/complete", input_stream=BytesIO(assertion_data), content_type="application/cbor", ) authentication_response = cbor.decode(raw_response.data) assert authentication_response == {"status": "OK"} settings_response = test_client.get("/settings") assert settings_response.status_code == 200
def test_webauthn_name_key(test_client, init_database): sign_in_response = sign_in(test_client, "oliver", "2398wqshjduiwd8932") user = User.query.filter_by(username="******").first() # It doesn't matter name of which key we will change key = Key.query.filter_by(user_id=user.did).first() assert key.name == "Key 1" name_key_response = name_key( test_client, data={ "credential_id": binascii.b2a_hex(key.credential_id), "key_name": "MyKey with spaces", }, ) key = Key.query.filter_by(user_id=user.did).first() assert key.name == "MyKey with spaces"
def test_webauthn_get_keys_list(test_client, init_database): sign_in_response = sign_in(test_client, "oliver", "2398wqshjduiwd8932") user = User.query.filter_by(username="******").first() keys_list_response = get_keys_list(test_client) keys_list = keys_list_response.data parsed_keys_list = json.loads(keys_list) first_key_credential_id_hex = list(parsed_keys_list)[0] first_key = ( Key.query.filter_by(user_id=user.did) .filter_by(credential_id=binascii.a2b_hex(first_key_credential_id_hex)) .first() ) assert first_key is not None assert parsed_keys_list[first_key_credential_id_hex]["name"] is not None assert ( parsed_keys_list[first_key_credential_id_hex]["last_access"] is not None )
def test_login_taken_username(test_client, init_database): delete_session_cookie(test_client) response = sign_in(test_client, "straw_berry", "aabbccdd") assert b"Invalid username or password" in response.data
def test_login_without_2fa(test_client, init_database): delete_session_cookie(test_client) sign_in_response = sign_in(test_client, "straw_berry", "[email protected]<") assert b"Hello, straw_berry" in sign_in_response.data
def test_logout(test_client, init_database): sign_in(test_client, "straw_berry", "[email protected]<") logout_response = test_client.get("/auth/logout", follow_redirects=False) cookie_header = logout_response.headers.get("Set-Cookie") assert "session=;" in cookie_header