def test_new_session(setup):
username = "******"
session = Session.new_session(username)
assert session.user.username == username
assert not session.expired()
setup.session.add(session)
setup.session.commit()
session = Session.get_by_id(session.id)
assert session.user.username == username
def test_session_role(setup):
sess_admin = Session.new_session("admin")
setup.session.add(sess_admin)
sess_lib = Session.new_session("lib")
setup.session.add(sess_lib)
sess_reader = Session.new_session("reader")
setup.session.add(sess_reader)
setup.session.commit()
assert sess_admin.user.role == "admin"
assert sess_lib.user.role == "librarian"
assert sess_reader.user.role == "reader"
def wrapper(*args, **kwargs):
parser = reqparse.RequestParser()
parser.add_argument('session-id', location='cookies')
try:
req = kwargs["testing_request"]
except KeyError:
req = None
parsed_args = parser.parse_args(req)
sess_id = parsed_args["session-id"]
if sess_id == None:
return error("Not authorized", 401)
try:
sess = Session.get_by_id(sess_id)
except ValueError:
return error("Not authorized", 401)
except Exception as e:
return error(str(e), 400)
kwargs["session"] = sess
return f(*args, **kwargs)
def post(self):
parser = reqparse.RequestParser()
parser.add_argument("username",
required=True,
location='headers',
help="Username is required")
parser.add_argument("password",
required=True,
location='headers',
help="Password is required")
args = parser.parse_args()
username = args["username"]
password = args["password"]
try:
user = User.get_by_username(username)
if not user.check_password(password):
raise ValueError
except ValueError:
return error("Username and/or password is incorrect.", 401)
sess = Session.new_session(username)
db.session.add(sess)
db.session.commit()
header = {"Set-Cookie": f"session-id={sess.id}"}
return sess.json(), 200, header
def test_expired_session(setup):
username = "******"
time = datetime.now() - timedelta(hours=2)
session = Session.new_session(username, time)
setup.session.add(session)
setup.session.commit()
with pytest.raises(ValueError):
assert session.get_by_id(session.id)
def test_user_backref(setup):
username = "******"
session = Session.new_session(username)
setup.session.add(session)
setup.session.commit()
user = User.get_by_username(username)
ids = [session.id for session in user.sessions]
assert session.id in ids
def test_auth_success(setup, mocker):
username = "******"
role = "admin"
sess = Session.new_session("admin")
setup.session.add(sess)
setup.session.commit()
request = mocker.patch.object(flask, "request")
request.cookies = {"session-id": sess.id}
def inner_func(username, role, sessid, **kwargs):
sess = kwargs["session"]
assert sess.user.username == username
assert sess.user.role == role
assert sess.id == sessid
wrapped_func = authenticated(inner_func)
wrapped_func(username, role, sess.id, testing_request=request)
def test_auth_faliure(setup, mocker):
username = "******"
role = "admin"
expire = datetime.now() + timedelta(hours=-3)
sess = Session.new_session("admin", expire)
setup.session.add(sess)
setup.session.commit()
request = mocker.patch.object(flask, "request")
request.cookies = {"session-id": sess.id}
def inner_func(**kwargs):
assert not 1 == 1 #This inner func should not be called
wrapped_func = authenticated(inner_func)
resp, code, headers = wrapped_func(username,
role,
sess.id,
testing_request=request)
assert "error" in resp.keys()
assert code == 401
def save():
username = "******"
user_id = 0
if g.user.is_authenticated:
username = g.user.username
user_id = g.user.id
if user_id == 0 and not app.config['ALLOW_UNAUTHENTICATED_USER_SAVE_LOAD']:
return make_response(jsonify({'errors': True, 'msg': 'Unauthenticated user'}), 401)
try:
data = json.loads(request.data)
except ValueError:
return make_response(jsonify({'errors': True, 'msg': 'No posted data or posted data not readable'}), 400)
# Create object in db
session_id = request.args.get('sid', None)
if not is_valid_uuid(session_id):
session_id = None # Session id comes from demo session, we create new version with new id
if session_id is not None:
instance = Session.query.filter_by(id=session_id).first()
if not instance:
return make_response(jsonify({'errors': True, 'msg': 'Session not found'}), 400)
# If user is not the same as the one that created the session, add a new id and update
# existing user id (this will effectively create a new session object)
if user_id != instance.user_id:
session_id = str(uuid.uuid4())
instance.id = session_id
instance.user_id = user_id
else:
# Should create a new session
session_id = str(uuid.uuid4())
instance = Session(id=session_id, user_id=user_id)
instance.created = datetime.datetime.utcnow()
data['session']['author'] = username
if data['session']['name']:
session_name = data['session']['name']
else:
n_existing_sessions = Session.query.filter_by(user_id=user_id).count()
session_name = 'Untitled session #%i' % (n_existing_sessions + 1)
data['session']['name'] = session_name
instance.name = session_name
instance.last_modified = datetime.datetime.utcnow()
db_session.add(instance)
db_session.commit()
file_dir = '%s/%i' % (app.config['SESSIONS_FOLDER_PATH'], user_id)
file_path = '%s/%s.json' % (file_dir, session_id)
if os.path.exists(file_path):
file_contents = json.load(open(file_path, 'r'))
else:
file_contents = {
'id': session_id,
'username': username,
'data': [],
'created': datetime.datetime.now().isoformat(),
}
file_contents['lastModified'] = datetime.datetime.now().isoformat()
file_contents['data'] = data
# Save session file
if not os.path.exists(file_dir):
os.mkdir(file_dir)
json.dump(file_contents, open(file_path, 'w'), indent=4)
return make_response(jsonify(
{'errors': False, 'sessionName': session_name, 'sessionID': session_id }), 200)