def test_replay_attacks_do_not_succeed(self): browser = Browser(mech_browser=MyMechanizeBrowser()) browser.open('%s/+login' % self.layer.appserver_root_url()) # On a JS-enabled browser this page would've been auto-submitted # (thanks to the onload handler), but here we have to do it manually. self.assertIn('body onload', browser.contents) browser.getControl('Continue').click() self.assertEquals('Login', browser.title) fill_login_form_and_submit(browser, '*****@*****.**') login_status = extract_text( find_tag_by_id(browser.contents, 'logincontrol')) self.assertIn('Sample Person (name12)', login_status) # Now we look up (in urls_redirected_to) the +openid-callback URL that # was used to complete the authentication and open it on a different # browser with a fresh set of cookies. replay_browser = Browser() [callback_url] = [ url for url in urls_redirected_to if '+openid-callback' in url] self.assertIsNot(None, callback_url) replay_browser.open(callback_url) login_status = extract_text( find_tag_by_id(replay_browser.contents, 'logincontrol')) self.assertEquals('Log in / Register', login_status) error_msg = find_tags_by_class(replay_browser.contents, 'error')[0] self.assertEquals('Nonce already used or out of range', extract_text(error_msg))
def test_realm_for_mainsite(self): browser = Browser() browser.open('%s/+login' % self.layer.appserver_root_url()) # At this point browser.contents contains a hidden form which would've # been auto-submitted if we had in-browser JS support, but since we # don't we can easily inspect what's in the form. self.assertEquals('%s/' % browser.rooturl, browser.getControl(name='openid.realm').value)