def test_update_password(self):
username = "******"
password = "******"
email = "*****@*****.**"
user = BaseUser(username=username, password=password, email=email)
user.save().run_sync()
authenticated = BaseUser.login_sync(username, password)
self.assertTrue(authenticated is not None)
# Test success
new_password = "******"
BaseUser.update_password_sync(username, new_password)
authenticated = BaseUser.login_sync(username, new_password)
self.assertTrue(authenticated is not None)
# Test ultra long password
malicious_password = secrets.token_urlsafe(1000)
with self.assertRaises(ValueError) as manager:
BaseUser.update_password_sync(username, malicious_password)
self.assertEqual(
manager.exception.__str__(),
"The password is too long.",
)
def test_login(self, logger: MagicMock):
username = "******"
password = "******"
email = "*****@*****.**"
user = BaseUser(username=username, password=password, email=email)
user.save().run_sync()
# Test correct password
authenticated = BaseUser.login_sync(username, password)
self.assertTrue(authenticated == user.id)
# Test incorrect password
authenticated = BaseUser.login_sync(username, "blablabla")
self.assertTrue(authenticated is None)
# Test ultra long password
malicious_password = secrets.token_urlsafe(1000)
authenticated = BaseUser.login_sync(username, malicious_password)
self.assertTrue(authenticated is None)
self.assertEqual(
logger.method_calls,
[call.warning("Excessively long password provided.")],
)
# Test ulta long username
logger.reset_mock()
malicious_username = secrets.token_urlsafe(1000)
authenticated = BaseUser.login_sync(malicious_username, password)
self.assertTrue(authenticated is None)
self.assertEqual(
logger.method_calls,
[call.warning("Excessively long username provided.")],
)
def create_user_and_session(self):
user = BaseUser(**self.credentials,
active=True,
admin=True,
superuser=True)
user.save().run_sync()
SessionsBase.create_session_sync(user_id=user.id)
def create():
"""
Create a new user.
"""
username = get_username()
email = get_email()
password = get_password()
confirmed_password = get_confirmed_password()
if not password == confirmed_password:
sys.exit("Passwords don't match!")
if len(password) < 4:
sys.exit("The password is too short")
is_admin = get_is_admin()
is_superuser = get_is_superuser()
is_active = get_is_active()
user = BaseUser(
username=username,
password=password,
admin=is_admin,
email=email,
active=is_active,
superuser=is_superuser,
)
user.save().run_sync()
print(f"Created User {user.id}")
def test_login_success(self):
user = BaseUser(**self.credentials)
user.save().run_sync()
client = TestClient(APP)
response = client.post("/", json=self.credentials)
self.assertTrue(response.status_code == 200)
self.assertTrue("token" in response.json())
def test_secret(self):
"""
Make sure that secret fields are omitted from the response when
requested.
"""
user = BaseUser(username="******", password="******")
user.save().run_sync()
user_dict = BaseUser.select(exclude_secrets=True).first().run_sync()
self.assertTrue("password" not in user_dict.keys())
def test_create(self, *args, **kwargs):
user = BaseUser(username="******", password="******")
user.save().run_sync()
change_password()
self.assertTrue(
BaseUser.login_sync(username="******", password="******")
is not None
)
async def register_user(user: UserModelIn):
user = BaseUser(**user.__dict__)
if (await BaseUser.exists().where(BaseUser.email == user.email).run()
or await BaseUser.exists().where(BaseUser.username == user.username
).run()):
raise HTTPException(
status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
detail="User with that email or username already exists.",
)
await user.save().run()
return UserModelOut(**user.__dict__)
def test_sucess(self):
provider = PiccoloTokenAuthProvider()
user = BaseUser(**self.credentials)
user.save().run_sync()
token = TokenAuth.create_token_sync(user_id=user.id)
queried_user = run_sync(provider.get_user(token))
self.assertEqual(user.username, queried_user.user["username"])
def test_login_success(self):
user = BaseUser(**self.credentials)
user.save().run_sync()
token = TokenAuth.create_token_sync(user_id=user.id)
client = TestClient(APP)
response = client.post("/", json=self.credentials)
self.assertTrue(response.status_code == 200)
self.assertTrue(response.json()["token"] == token)
def test_login_failure(self):
user = BaseUser(**self.credentials)
user.save().run_sync()
client = TestClient(APP)
with self.assertRaises(HTTPException):
response = client.post("/",
json={
"username": "******",
"password": "******"
})
self.assertTrue(response.status_code == 401)
def setUp(self):
BaseUser.create_table(if_not_exists=True).run_sync()
BaseUser(
username="******",
password="******",
first_name="Bob",
last_name="Jones",
email="*****@*****.**",
active=False,
admin=False,
superuser=False,
).save().run_sync()
def test_register_user_already_exist(self):
"""
Check that a user who already exists cannot register.
"""
client = TestClient(APP)
BaseUser(
username="******", email="*****@*****.**", password="******"
).save().run_sync()
response = client.post("/register/", json=self.register_credentials)
self.assertEqual(response.status_code, 422)
self.assertEqual(
response.content, b"User with email or username already exists."
)
def test_login_success(self):
"""
Make sure a user with the correct permissions can access the protected
endpoint.
"""
client = TestClient(APP)
BaseUser(**self.credentials, active=True, admin=True,
superuser=True).save().run_sync()
response = client.post("/login/", json=self.credentials)
self.assertTrue(response.status_code == 303)
self.assertTrue("id" in response.cookies.keys())
response = client.get("/secret/")
self.assertTrue(response.status_code == 200)
self.assertEqual(response.content, b"top secret")
def test_non_admin(self):
"""
Non-admin users should be rejected by the middleware, if configured
that way.
"""
client = TestClient(APP)
BaseUser(**self.credentials, active=True, admin=False,
superuser=False).save().run_sync()
response = client.post("/login/", json=self.credentials)
self.assertTrue(response.status_code == 303)
# Make a request using the session - it should get rejected.
response = client.get("/secret/")
self.assertTrue(response.status_code == 400)
self.assertEqual(response.content, b"Admin users only")
def test_update_password(self):
username = "******"
password = "******"
email = "*****@*****.**"
user = BaseUser(username=username, password=password, email=email)
user.save().run_sync()
authenticated = BaseUser.login_sync(username, password)
self.assertTrue(authenticated is not None)
new_password = "******"
BaseUser.update_password_sync(username, new_password)
authenticated = BaseUser.login_sync(username, new_password)
self.assertTrue(authenticated is not None)
def test_hooks(self):
# TODO Replace these with mocks ...
def pre_login_test(username):
assert isinstance(username, str)
async def pre_login_test_async(username):
assert isinstance(username, str)
def login_success_test(username, user_id):
assert isinstance(username, str)
assert isinstance(user_id, int)
async def login_success_test_async(username, user_id):
assert isinstance(username, str)
assert isinstance(user_id, int)
def login_failure_test(username):
assert isinstance(username, str)
def login_failure_test_async(username):
assert isinstance(username, str)
router = Router(
routes=[
Route(
"/login/",
session_login(
hooks=LoginHooks(
pre_login=[pre_login_test, pre_login_test_async],
login_success=[
login_success_test,
login_success_test_async,
],
login_failure=[
login_failure_test,
login_failure_test_async,
],
)
),
),
]
)
app = ExceptionMiddleware(router)
BaseUser(**self.credentials, active=True).save().run_sync()
client = TestClient(app)
client.post("/login/", json=self.credentials)
def test_login(self):
username = "******"
password = "******"
email = "*****@*****.**"
user = BaseUser(username=username, password=password, email=email)
save_query = user.save()
save_query.run_sync()
authenticated = asyncio.run(BaseUser.login(username, password))
self.assertTrue(authenticated is not None)
authenticated = asyncio.run(BaseUser.login(username, "blablabla"))
self.assertTrue(not authenticated)
def test_inactive_user(self):
"""
Inactive users should be rejected by the middleware, if configured
that way.
"""
client = TestClient(APP)
BaseUser(**self.credentials, active=False, admin=True,
superuser=True).save().run_sync()
response = client.post("/login/", json=self.credentials)
# Currently the login is successful if the user is inactive - this
# should change in the future.
self.assertTrue(response.status_code == 303)
# Make a request using the session - it should get rejected.
response = client.get("/secret/")
self.assertTrue(response.status_code == 400)
self.assertEqual(response.content, b"Active users only")
def test_change_password_missing_fields(self):
"""
Make sure all fields on the form are filled out.
"""
client = TestClient(APP)
BaseUser(
**self.credentials, active=True, admin=True, superuser=True
).save().run_sync()
response = client.post("/login/", json=self.credentials)
client = TestClient(APP)
response = client.post(
"/change-password/",
cookies={"id": f"{response.cookies.values()[0]}"},
json={},
)
self.assertEqual(response.status_code, 422)
self.assertEqual(
response.content, b"Form is invalid. Missing one or more fields."
)
def test_change_password_get_template(self):
"""
Make sure a GET request to `change_password` returns a change
password form.
"""
client = TestClient(APP)
BaseUser(
**self.credentials, active=True, admin=True, superuser=True
).save().run_sync()
response = client.post("/login/", json=self.credentials)
client = TestClient(APP)
response = client.get(
"/change-password/",
cookies={"id": f"{response.cookies.values()[0]}"},
)
self.assertEqual(response.status_code, 200)
self.assertTrue(
response.headers["content-type"] == "text/html; charset=utf-8"
)
self.assertTrue(b"<h1>Change Password</h1>" in response.content)
def test_correct_current_password(self):
"""
Make sure a POST request to `change_password` works.
"""
client = TestClient(APP)
BaseUser(
**self.credentials, active=True, admin=True, superuser=True
).save().run_sync()
response = client.post("/login/", json=self.credentials)
client = TestClient(APP)
response = client.post(
"/change-password/",
cookies={"id": f"{response.cookies.values()[0]}"},
json={
"current_password": f"{self.credentials['password']}",
"new_password": "******",
"confirm_new_password": "******",
},
)
self.assertEqual(response.status_code, 303)
def test_change_password_match(self):
"""
Make sure the passwords match.
"""
client = TestClient(APP)
BaseUser(
**self.credentials, active=True, admin=True, superuser=True
).save().run_sync()
response = client.post("/login/", json=self.credentials)
client = TestClient(APP)
response = client.post(
"/change-password/",
cookies={"id": f"{response.cookies.values()[0]}"},
json={
"current_password": f"{self.credentials['password']}",
"new_password": "******",
"confirm_new_password": "******",
},
)
self.assertEqual(response.status_code, 422)
self.assertEqual(response.content, b"Passwords do not match.")
def test_logout_success(self):
"""
Make sure a POST request sent to `session_logout` will log out the
user.
"""
client = TestClient(APP)
BaseUser(**self.credentials, active=True, admin=True,
superuser=True).save().run_sync()
response = client.post("/login/", json=self.credentials)
self.assertTrue(response.status_code == 303)
self.assertTrue("id" in response.cookies.keys())
client = TestClient(APP)
response = client.post(
"/logout/",
cookies={"id": response.cookies.get("id")},
json=self.credentials,
)
self.assertTrue(response.status_code == 200)
self.assertEqual(response.content, b"Successfully logged out")
def test_login_wrong_credentials(self):
"""
Make sure a user can't login using wrong credentials.
"""
client = TestClient(APP)
BaseUser(**self.credentials, active=True, admin=True,
superuser=True).save().run_sync()
# Test with the wrong username and password.
response = client.post("/login/", json=self.wrong_credentials)
self.assertTrue(response.status_code == 401)
self.assertTrue(response.cookies.values() == [])
# Test with the correct username, but wrong password.
response = client.post(
"/login/",
json={
"username": self.credentials["username"],
"password": self.wrong_credentials["password"],
},
)
self.assertTrue(response.status_code == 401)
self.assertTrue(response.cookies.values() == [])
def test_valid_credentials(self):
BaseUser(username="******", password="******")
def setUp(self):
SessionsBase.create_table(if_not_exists=True).run_sync()
BaseUser.create_table(if_not_exists=True).run_sync()
BaseUser(
**self.credentials, active=True, admin=True, superuser=True
).save().run_sync()
def test_malicious_password(self):
malicious_password = secrets.token_urlsafe(1000)
with self.assertRaises(ValueError) as manager:
BaseUser(username="******", password=malicious_password)
self.assertEqual(manager.exception.__str__(),
"The password is too long.")