def test_logout(self): with self.client: add_user('test', '*****@*****.**', 'testtest') access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest') response = self.client.post('/sanity/protected', headers={'X-CSRF-TOKEN': access_csrf}) data = json.loads(response.data.decode()) self.assertTrue(data['msg'] == 'success') self.assertTrue(response.content_type == 'application/json') self.assertEqual(response.status_code, 200) response = self.client.post('/auth/logout', headers={'X-CSRF-TOKEN': access_csrf}) data = json.loads(response.data.decode()) self.assertTrue(data['logout']) self.assertTrue(response.content_type == 'application/json') self.assertEqual(response.status_code, 200) response = self.client.post('/sanity/protected', headers={'X-CSRF-TOKEN': access_csrf}) data = json.loads(response.data.decode()) self.assertTrue(data['msg'] == "Missing cookie \"access_token_cookie\"") self.assertTrue(response.content_type == 'application/json') self.assertEqual(response.status_code, 401)
def test_change_password_wrong_old(self): with self.client: add_user('test', '*****@*****.**', 'testtest') access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest') response = self.client.post('/auth/changepassword', headers={'X-CSRF-TOKEN': access_csrf}) response = self.client.post( '/auth/changepassword', data=json.dumps(dict( old_password='******', new_password='******' )), content_type='application/json', headers={'X-CSRF-TOKEN': access_csrf} ) data = json.loads(response.data.decode()) self.assertTrue(data['msg'] == 'Incorrect password') response = self.client.post( '/auth/login', data=json.dumps(dict( email='*****@*****.**', password='******' )), content_type='application/json' ) data = json.loads(response.data.decode()) self.assertFalse(data['login'])
def test_add_user_duplicate_email(self): """Ensure error is thrown if the email already exists.""" user = login_user(self, admin=True) token = user['token'] with self.client: self.client.post('/users', data=json.dumps({ 'username': '******', 'email': '*****@*****.**', 'password': '******' }), content_type='application/json', headers={'Authorization': f'Bearer: {token}'}) response = self.client.post( '/users', data=json.dumps({ 'username': '******', 'email': '*****@*****.**', 'password': '******' }), content_type='application/json', headers={'Authorization': f'Bearer: {token}'}) data = json.loads(response.data.decode()) self.assertEqual(response.status_code, 400) self.assertIn('Sorry. That email already exists.', data['message']) self.assertIn('fail', data['status'])
def test_activate_ok(self): with self.client: add_user('existing', '*****@*****.**', 'existingexisting', active=False) add_user('test', '*****@*****.**', 'testtest', cbl_member=True) token = encode_url_token('invite', '*****@*****.**') url = 'auth/activate?id={}'.format(token) response = self.client.post( url, data=json.dumps(dict( email='*****@*****.**', username='******', password='******' )), content_type='application/json' ) data = json.loads(response.data.decode()) self.assertTrue(data['msg'] == 'Account activated') self.assertTrue(response.content_type == 'application/json') self.assertEqual(response.status_code, 200) access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest') response = self.client.post('/sanity/protected', headers={'X-CSRF-TOKEN': access_csrf}) data = json.loads(response.data.decode()) self.assertTrue(data['msg'] == 'success') self.assertTrue(response.content_type == 'application/json') self.assertEqual(response.status_code, 200)
def test_add_user_duplicate_email(self): """Ensure error is thrown if the email already exists.""" with self.client: add_admin('test', '*****@*****.**', 'test') token = login_user(self.client, '*****@*****.**', 'test') self.client.post( '/users', data=json.dumps({ 'username': '******', 'email': '*****@*****.**', 'password': '******' }), content_type='application/json', headers={'Authorization': f'Bearer {token}'}, ) response = self.client.post( '/users', data=json.dumps({'email': '*****@*****.**'}), content_type='application/json', headers={'Authorization': f'Bearer {token}'}, ) data = json.loads(response.data.decode()) self.assertEqual(response.status_code, 400) self.assertIn('Sorry. That email already exists.', data['message']) self.assertIn('fail', data['status'])
def test_registered_user_login(self, mock_validate_recaptcha): # with self.client: add_user('test', '*****@*****.**', 'test') response = login_user('*****@*****.**', 'test') data = json.loads(response.data.decode()) self.assertTrue(data['status'] == 'success') self.assertTrue(data['message'] == 'Successfully logged in.') self.assertTrue(data['auth_token']) self.assertTrue(response.content_type == 'application/json') self.assertEqual(response.status_code, 200)
def test_refresh(self): with self.client: add_user('test', '*****@*****.**', 'testtest') access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest', refresh_only=True) response = self.client.post('/auth/refresh', headers={'X-CSRF-TOKEN': refresh_csrf}) data = json.loads(response.data.decode()) self.assertTrue(data['refresh']) self.assertTrue(response.content_type == 'application/json') self.assertEqual(response.status_code, 200)
def test_protected_no_access(self): with self.client: add_user('test', '*****@*****.**', 'testtest') access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest', refresh_only=True) response = self.client.post('/sanity/protected', headers={'X-CSRF-TOKEN': refresh_csrf}) data = json.loads(response.data.decode()) self.assertTrue(data['msg'] == "CSRF double submit tokens do not match") self.assertTrue(response.content_type == 'application/json') self.assertEqual(response.status_code, 401)
def test_protected_with_auth(self): """Protected endpoint, with login """ with self.client: add_user('test', '*****@*****.**', 'testtest') access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest') response = self.client.post('/sanity/protected', headers={'X-CSRF-TOKEN': access_csrf}) data = json.loads(response.data.decode()) self.assertTrue(data['msg'] == 'success') self.assertTrue(response.content_type == 'application/json') self.assertEqual(response.status_code, 200)
def test_add_user_invalid_json(self): """Ensure error is thrown if the JSON object is empty""" with self.client: add_admin('test', '*****@*****.**', 'test') token = login_user(self.client, '*****@*****.**', 'test') response = self.client.post( '/users', data=json.dumps({}), content_type='application/json', headers={'Authorization': f'Bearer {token}'}, ) data = json.loads(response.data.decode()) self.assertEqual(response.status_code, 400) self.assertIn('Invalid payload.', data['message']) self.assertIn('fail', data['status'])
def test_claims(self): """Load user details from claim """ with self.client: add_user('test', '*****@*****.**', 'testtest') access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest') response = self.client.post('/sanity/claim', headers={'X-CSRF-TOKEN': access_csrf}) data = json.loads(response.data.decode()) self.assertTrue(data['email'] == '*****@*****.**') self.assertFalse(data['cbl_member']) self.assertTrue(data['username'] == 'test') self.assertTrue(response.content_type == 'application/json') self.assertEqual(response.status_code, 200)
def test_add_user_inactive(self): user = login_user(self, active=False) token = user['token'] with self.client: response = self.client.post( '/users', data=json.dumps({ 'username': '******', 'email': '*****@*****.**', 'password': '******' }), content_type='application/json', headers={'Authorization': f'Bearer {token}'}) data = json.loads(response.data.decode()) self.assertTrue(data['status'] == 'fail') self.assertTrue(data['message'] == 'Provide a valid auth token.') self.assertEqual(response.status_code, 401)
def test_add_user_invalid_json_keys_no_password(self): """ Ensure error is thrown if the JSON object does not have a password key. """ user = login_user(self, admin=True) token = user['token'] with self.client: response = self.client.post( '/users', data=json.dumps(dict(username='******', email='*****@*****.**')), content_type='application/json', headers={'Authorization': f'Bearer {token}'}) data = json.loads(response.data.decode()) self.assertEqual(response.status_code, 400) self.assertIn('Invalid payload.', data['message']) self.assertIn('fail', data['status'])
def test_add_user_invalid_json_keys(self): """Ensure error is thrown if the JSON object does not have a username key.""" with self.client: add_admin('test', '*****@*****.**', 'test') token = login_user(self.client, '*****@*****.**', 'test') response = self.client.post( '/users', data=json.dumps({ 'email': '*****@*****.**', 'password': '******' }), content_type='application/json', headers={'Authorization': f'Bearer {token}'}, ) data = json.loads(response.data.decode()) self.assertEqual(response.status_code, 400) self.assertIn('Invalid payload.', data['message']) self.assertIn('fail', data['status'])
def test_add_user_not_admin(self): user = login_user(self) token = user['token'] with self.client: response = self.client.post( '/users', data=json.dumps({ 'username': '******', 'email': '*****@*****.**', 'password': '******' }), content_type='application/json', headers={'Authorization': f'Bearer {token}'}) data = json.loads(response.data.decode()) self.assertTrue(data['status'] == 'fail') self.assertTrue( data['message'] == 'You do not have permission to do that.') self.assertEqual(response.status_code, 401)
def test_add_user(self): """Ensure a new user can be added to the database.""" user = login_user(self, admin=True) token = user['token'] with self.client: response = self.client.post( '/users', data=json.dumps({ 'username': '******', 'email': '*****@*****.**', 'password': '******' }), content_type='application/json', headers={'Authorization': f'Bearer {token}'}) data = json.loads(response.data.decode()) self.assertEqual(response.status_code, 201) self.assertIn('[email protected] was added!', data['message']) self.assertIn('success', data['status'])
def test_add_user(self): """Ensure a new user can be added to the database.""" with self.client: add_admin('test', '*****@*****.**', 'test') token = login_user(self.client, '*****@*****.**', 'test') response = self.client.post( '/users', data=json.dumps({ 'username': '******', 'password': '******', 'email': '*****@*****.**' }), content_type='application/json', headers={'Authorization': f'Bearer {token}'}, ) data = json.loads(response.data.decode()) self.assertEqual(response.status_code, 201) self.assertIn('[email protected] was added!', data['message']) self.assertIn('success', data['status'])
def test_blacklist(self): with self.client: add_user('test', '*****@*****.**', 'testtest') access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest') response = self.client.post('/sanity/protected', headers={'X-CSRF-TOKEN': access_csrf}) data = json.loads(response.data.decode()) self.assertTrue(data['msg'] == 'success') self.assertTrue(response.content_type == 'application/json') self.assertEqual(response.status_code, 200) revoke_jwt(access_token, app.config['JWT_ACCESS_TOKEN_EXPIRES'] * 1.2) response = self.client.post('/sanity/protected', headers={'X-CSRF-TOKEN': access_csrf}) data = json.loads(response.data.decode()) self.assertTrue(data['msg'] == 'Token has been revoked') self.assertTrue(response.content_type == 'application/json') self.assertEqual(response.status_code, 401)
def test_invite_not_cbl(self): with self.client: add_user('test', '*****@*****.**', 'testtest') access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest') response = self.client.post( '/auth/createinvite', data=json.dumps(dict( email='*****@*****.**', name='example' )), content_type='application/json', headers={'X-CSRF-TOKEN': access_csrf} ) data = json.loads(response.data.decode()) self.assertTrue(data['msg'] == "Core CBL members only") self.assertTrue(response.content_type == 'application/json') self.assertEqual(response.status_code, 403)
def test_invite_existing_active(self): with self.client: add_user('existing', '*****@*****.**', 'existingexisting', active=True, disabled=False) add_user('test', '*****@*****.**', 'testtest', cbl_member=True) access_csrf, refresh_csrf, access_token = login_user(self.client, '*****@*****.**', 'testtest') response = self.client.post( '/auth/createinvite', data=json.dumps(dict( email='*****@*****.**', name='existing', suppress_email=True )), content_type='application/json', headers={'X-CSRF-TOKEN': access_csrf} ) data = json.loads(response.data.decode()) self.assertTrue(data['msg'] == "User already exists") self.assertTrue(response.content_type == 'application/json') self.assertEqual(response.status_code, 409)