def test_login_with_2fa_enabled(test_client, init_database):
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
otp_token = enable_user_2fa(test_client)
delete_session_cookie(test_client)
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
assert (b"Please log in to access this page."
in test_client.get("/settings", follow_redirects=True).data)
otp_code = pyotp.TOTP(otp_token).now()
twofa_response = send_otp_code(test_client, otp_code)
assert b"Hello, dave" in twofa_response.data
delete_session_cookie(test_client)
old_otp_code = generate_otp_token_at(otp_token, 71)
login_send_old_otp_code_response = send_otp_code(test_client, old_otp_code)
assert b"Hello, dave" not in login_send_old_otp_code_response.data
delete_session_cookie(test_client)
previous_last_otp_code = generate_otp_token_at(otp_token, 37)
login_send_previous_last_otp_code_response = send_otp_code(
test_client, previous_last_otp_code)
# assert b"Hello, dave" in login_send_previous_last_otp_code_response.data
# The above and below assert result is dependent from test run time
delete_session_cookie(test_client)
future_otp_code = pyotp.TOTP(otp_token).at(datetime.now() +
timedelta(seconds=23))
login_send_future_otp_code_response = send_otp_code(
test_client, future_otp_code)
def test_remember_me_with_2fa_enabled(test_client, init_database):
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
otp_token = enable_user_2fa(test_client)
delete_session_cookie(test_client)
sign_in_remember(test_client, "dave", "wselfknskjdksdaiujlj")
otp_code = pyotp.TOTP(otp_token).now()
send_otp_code(test_client, otp_code)
delete_session_cookie(test_client)
index_response = test_client.get("/")
assert b"Hello, dave" in index_response.data
def test_disable_2fa_fresh_session(test_client, init_database):
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
otp_token = enable_user_2fa(test_client)
delete_session_cookie(test_client)
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
otp_code = pyotp.TOTP(otp_token).now()
send_otp_code(test_client, otp_code)
index_response = test_client.get("/")
assert b"Hello, dave" in index_response.data
response = deactivate_2fa(test_client)
assert b"Deactivated 2FA" in response.data
def test_webauthn_register_new_key(test_client, init_database):
sign_in_response = sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
device = SoftWebauthnDevice()
begin_register_response = test_client.post("/webauthn/register/begin",
data=json.dumps(
{"resident": False}))
pkcco = cbor.decode(begin_register_response.data)
attestation = device.create(pkcco, f"https://{TestConfig.RP_ID}")
attestation_data = cbor.encode({
"clientDataJSON":
attestation["response"]["clientDataJSON"],
"attestationObject":
attestation["response"]["attestationObject"],
})
raw_response = test_client.post(
"/webauthn/register/complete",
input_stream=BytesIO(attestation_data),
content_type="application/cbor",
)
registration_response = cbor.decode(raw_response.data)
assert registration_response == {"status": "OK"}
user = User.query.filter_by(username="******").first()
webauthn = Webauthn.query.filter_by(user_id=user.did).first()
assert webauthn
assert webauthn.number == 1
assert webauthn.is_enabled is False
def test_webauthn_delete_key(test_client, init_database):
sign_in_response = sign_in(test_client, "oliver", "2398wqshjduiwd8932")
user = User.query.filter_by(username="******").first()
key = (
Key.query.filter_by(user_id=user.did).filter_by(
credential_id="notrealbutnecessarytodelete".encode()
)
).first()
assert key is not None
delete_key_response = delete_key(
test_client,
data={
"credential_id": binascii.b2a_hex(key.credential_id),
"key_name": "MyKey with spaces",
},
)
key = (
Key.query.filter_by(user_id=user.did)
.filter_by(
credential_id=binascii.b2a_hex(b"notrealbutnecessarytodelete")
)
.first()
)
assert key is None
def test_disable_2fa_non_fresh_session(test_client, init_database):
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
otp_token = enable_user_2fa(test_client)
delete_session_cookie(test_client)
sign_in_remember(test_client, "dave", "wselfknskjdksdaiujlj")
otp_code = pyotp.TOTP(otp_token).now()
send_otp_code(test_client, otp_code)
delete_session_cookie(test_client)
index_response = test_client.get("/")
assert b"Hello, dave" in index_response.data
deactivate_2fa_first_response = deactivate_2fa(test_client)
assert (
b"To protect your account, please reauthenticate to access this page."
in deactivate_2fa_first_response.data)
refresh_session(test_client, "wselfknskjdksdaiujlj")
deactivate_2fa_second_response = deactivate_2fa(test_client)
assert b"Deactivated 2FA" in deactivate_2fa_second_response.data
def test_login_without_2fa(test_client, init_database):
login_response = sign_in(
test_client,
"non_existing_user_hasjdbhjbsdjmhd",
"doisajcklanms632dxmsandu5r4iwe",
)
assert (b"Hello, non_existing_user_hasjdbhjbsdjmhd"
not in login_response.data)
def test_webauthn_activate_not_enough_keys(test_client, init_database):
delete_session_cookie(test_client)
sign_in_response = sign_in(test_client, "thomas", "qghjoiwjiklwek")
activate_webautn_response = activate_webauthn(test_client)
assert b"register" in activate_webautn_response.data
user = User.query.filter_by(username="******").first()
webauthn = Webauthn.query.filter_by(user_id=user.did).first()
assert webauthn.is_enabled is False
def test_bruteforce_otp_code(test_client, init_database):
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
otp_token = enable_user_2fa(test_client)
delete_session_cookie(test_client)
sign_in(test_client, "dave", "wselfknskjdksdaiujlj")
for _ in range(3):
response = send_otp_code(test_client, "invalid")
assert response.status_code == 200
for _ in range(5):
response = send_otp_code(test_client, "invalid")
assert response.status_code == 401
otp_code = pyotp.TOTP(otp_token).now()
valid_otp_code_response = send_otp_code(test_client, otp_code)
assert valid_otp_code_response.status_code == 401
index_response = test_client.get("/", follow_redirects=True)
assert b"Hello, dave" not in index_response.data
def test_webauthn_activate_enough_keys(test_client, init_database):
delete_session_cookie(test_client)
sign_in_response = sign_in(test_client, "anna", "ukehjwqbjhwqkbejw")
activate_webautn_response = activate_webauthn(test_client)
assert b"Enabled" in activate_webautn_response.data
user = User.query.filter_by(username="******").first()
webauthn = Webauthn.query.filter_by(user_id=user.did).first()
assert webauthn.is_enabled is True
def test_register_and_login(test_client, init_database):
register_response = register(
test_client,
"bob",
"*****@*****.**",
"bob_roccat867",
"bob_roccat867",
)
assert (b"Congratulations, you are now a registered user!"
in register_response.data)
sign_in_response = sign_in(test_client, "bob", "bob_roccat867")
assert b"Hello, bob" in sign_in_response.data
assert b"Invalid username or password" not in sign_in_response.data
def test_webauthn_deactivate(test_client, init_database):
sign_in_response = sign_in(test_client, "oliver", "2398wqshjduiwd8932")
user = User.query.filter_by(username="******").first()
webauthn = Webauthn.query.filter_by(user_id=user.did).first()
webauthn.is_enabled = True
init_database.session.add(webauthn)
init_database.session.commit()
got_webauthn = Webauthn.query.filter_by(user_id=user.did).first()
assert got_webauthn.is_enabled is True
deactivate_webautn_response = deactivate_webauthn(test_client)
assert b"Deactivated" in deactivate_webautn_response.data
webauthn = Webauthn.query.filter_by(user_id=user.did).first()
assert webauthn.is_enabled is False
def test_webauthn_authenticate(test_client, init_database):
sign_in_response = sign_in(test_client, "jennie",
"9df1c362e4df3e51edd1acde9")
device = SoftWebauthnDevice()
user = User.query.filter_by(username="******").first()
webauthn = Webauthn.query.filter_by(user_id=user.did).first()
user_handle = webauthn.user_identifier
device.cred_init(TestConfig.RP_ID, user_handle)
device.private_key = KeyList.priv_one
user5_first_security_key_public_key = ES256.from_cryptography_key(
device.private_key.public_key())
key = (Key.query.filter_by(user_id=user.did).filter_by(
public_key=cbor.encode(user5_first_security_key_public_key)).first())
device.credential_id = key.credential_id
pkcro = cbor.decode(test_client.post("/webauthn/authenticate/begin").data)
assertion = device.get(pkcro, f"https://{TestConfig.RP_ID}")
assertion_data = cbor.encode({
"credentialId":
assertion["rawId"],
"clientDataJSON":
assertion["response"]["clientDataJSON"],
"authenticatorData":
assertion["response"]["authenticatorData"],
"signature":
assertion["response"]["signature"],
"userHandle":
assertion["response"]["userHandle"],
})
raw_response = test_client.post(
"/webauthn/authenticate/complete",
input_stream=BytesIO(assertion_data),
content_type="application/cbor",
)
authentication_response = cbor.decode(raw_response.data)
assert authentication_response == {"status": "OK"}
settings_response = test_client.get("/settings")
assert settings_response.status_code == 200
def test_webauthn_name_key(test_client, init_database):
sign_in_response = sign_in(test_client, "oliver", "2398wqshjduiwd8932")
user = User.query.filter_by(username="******").first()
# It doesn't matter name of which key we will change
key = Key.query.filter_by(user_id=user.did).first()
assert key.name == "Key 1"
name_key_response = name_key(
test_client,
data={
"credential_id": binascii.b2a_hex(key.credential_id),
"key_name": "MyKey with spaces",
},
)
key = Key.query.filter_by(user_id=user.did).first()
assert key.name == "MyKey with spaces"
def test_webauthn_get_keys_list(test_client, init_database):
sign_in_response = sign_in(test_client, "oliver", "2398wqshjduiwd8932")
user = User.query.filter_by(username="******").first()
keys_list_response = get_keys_list(test_client)
keys_list = keys_list_response.data
parsed_keys_list = json.loads(keys_list)
first_key_credential_id_hex = list(parsed_keys_list)[0]
first_key = (
Key.query.filter_by(user_id=user.did)
.filter_by(credential_id=binascii.a2b_hex(first_key_credential_id_hex))
.first()
)
assert first_key is not None
assert parsed_keys_list[first_key_credential_id_hex]["name"] is not None
assert (
parsed_keys_list[first_key_credential_id_hex]["last_access"]
is not None
)
def test_login_taken_username(test_client, init_database):
delete_session_cookie(test_client)
response = sign_in(test_client, "straw_berry", "aabbccdd")
assert b"Invalid username or password" in response.data
def test_login_without_2fa(test_client, init_database):
delete_session_cookie(test_client)
sign_in_response = sign_in(test_client, "straw_berry", "[email protected]<")
assert b"Hello, straw_berry" in sign_in_response.data
def test_logout(test_client, init_database):
sign_in(test_client, "straw_berry", "[email protected]<")
logout_response = test_client.get("/auth/logout", follow_redirects=False)
cookie_header = logout_response.headers.get("Set-Cookie")
assert "session=;" in cookie_header