def test_register_ok(self):
data = self._get_register_user_data(password='******')
request = self.create_post_request(data)
time_before = math.floor(time.time())
with self.assert_one_mail_sent() as sent_emails:
response = self.view_func(request)
time_after = math.ceil(time.time())
self.assert_valid_response(response, status.HTTP_201_CREATED)
user_id = response.data['id']
# Check database state.
user = self.user_class.objects.get(id=user_id)
self.assertEqual(user.username, data['username'])
self.assertTrue(user.check_password(data['password']))
self.assertFalse(user.is_active)
# Check verification e-mail.
sent_email = sent_emails[0]
self.assertEqual(sent_email.from_email, VERIFICATION_FROM_EMAIL)
self.assertListEqual(sent_email.to, [data['email']])
url = self.assert_one_url_line_in_text(sent_email.body)
verification_data = self.assert_valid_verification_url(
url,
expected_path=REGISTER_VERIFICATION_URL,
expected_query_keys={'signature', 'user_id', 'timestamp'},
)
url_user_id = int(verification_data['user_id'])
self.assertEqual(url_user_id, user_id)
url_sig_timestamp = int(verification_data['timestamp'])
self.assertGreaterEqual(url_sig_timestamp, time_before)
self.assertLessEqual(url_sig_timestamp, time_after)
signer = RegisterSigner(verification_data)
signer.verify()
def test_register_with_username_as_verification_id_ok(self):
# Using username is not recommended if it can change for a given user.
data = self._get_register_user_data(password='******')
request = self.create_post_request(data)
with self.assert_one_mail_sent() as sent_emails, self.timer() as timer:
response = self.view_func(request)
self.assert_valid_response(response, status.HTTP_201_CREATED)
user_id = response.data['id']
# Check database state.
user = self.user_class.objects.get(id=user_id)
self.assertEqual(user.username, data['username'])
self.assertTrue(user.check_password(data['password']))
self.assertFalse(user.is_active)
# Check verification e-mail.
sent_email = sent_emails[0]
self.assertEqual(sent_email.from_email, VERIFICATION_FROM_EMAIL)
self.assertListEqual(sent_email.to, [data['email']])
url = self.assert_one_url_line_in_text(sent_email.body)
verification_data = self.assert_valid_verification_url(
url,
expected_path=REGISTER_VERIFICATION_URL,
expected_fields={'signature', 'user_id', 'timestamp'},
)
user_verification_id = verification_data['user_id']
self.assertEqual(user_verification_id, user.username)
url_sig_timestamp = int(verification_data['timestamp'])
self.assertGreaterEqual(url_sig_timestamp, timer.start_time)
self.assertLessEqual(url_sig_timestamp, timer.end_time)
signer = RegisterSigner(verification_data)
signer.verify()
def prepare_request(self, user, session=False):
signer = RegisterSigner({'user_id': user.pk})
data = signer.get_signed_data()
request = self.create_post_request(data)
if session:
self.add_session_to_request(request)
return request
def prepare_request(self, user, session=False, data_to_sign=None):
if data_to_sign is None:
data_to_sign = {'user_id': user.pk}
signer = RegisterSigner(data_to_sign)
data = signer.get_signed_data()
request = self.create_post_request(data)
if session:
self.add_session_to_request(request)
return request
def test_verify_disabled(self):
user = self.create_test_user(is_active=False)
self.assertFalse(user.is_active)
signer = RegisterSigner({'user_id': user.pk})
data = signer.get_signed_data()
request = self.create_post_request(data)
response = self.view_func(request)
self.assert_invalid_response(response, status.HTTP_404_NOT_FOUND)
user.refresh_from_db()
self.assertFalse(user.is_active)
def test_ok(self):
user = self.create_test_user(is_active=False)
self.assertFalse(user.is_active)
signer = RegisterSigner({'user_id': user.pk})
data = signer.get_signed_data()
response = self.client.get(self.view_url, data=data)
self.assertEqual(response.status_code, 302)
self.assertEqual(response.url, SUCCESS_URL)
user.refresh_from_db()
self.assertTrue(user.is_active)
def create_verify_and_user(self, session=False):
user = self.create_test_user(is_active=False)
self.assertFalse(user.is_active)
signer = RegisterSigner({'user_id': user.pk})
data = signer.get_signed_data()
request = self.create_post_request(data)
if session:
self.add_session_to_request(request)
response = self.view_func(request)
return user, response
def test_verify_ok(self):
user = self.create_test_user(is_active=False)
self.assertFalse(user.is_active)
signer = RegisterSigner({'user_id': user.pk})
data = signer.get_signed_data()
request = self.factory.post('', data)
response = verify_registration(request)
self.assert_valid_response(response, status.HTTP_200_OK)
user.refresh_from_db()
self.assertTrue(user.is_active)
def test_verify_tampered_timestamp(self):
user = self.create_test_user(is_active=False)
self.assertFalse(user.is_active)
signer = RegisterSigner({'user_id': user.pk})
data = signer.get_signed_data()
data['timestamp'] += 1
request = self.create_post_request(data)
response = self.view_func(request)
self.assert_invalid_response(response, status.HTTP_400_BAD_REQUEST)
user.refresh_from_db()
self.assertFalse(user.is_active)
def test_tampered_signature(self):
user = self.create_test_user(is_active=False)
self.assertFalse(user.is_active)
signer = RegisterSigner({'user_id': user.pk})
data = signer.get_signed_data()
data['signature'] += 'blah'
response = self.client.get(self.view_url, data=data)
self.assertEqual(response.status_code, 302)
self.assertEqual(response.url, FAILURE_URL)
user.refresh_from_db()
self.assertFalse(user.is_active)
def test_verify_expired(self):
timestamp = int(time.time())
user = self.create_test_user(is_active=False)
self.assertFalse(user.is_active)
with patch('time.time', side_effect=lambda: timestamp):
signer = RegisterSigner({'user_id': user.pk})
data = signer.get_signed_data()
request = self.create_post_request(data)
with patch('time.time', side_effect=lambda: timestamp + 3600 * 24 * 8):
response = self.view_func(request)
self.assert_invalid_response(response, status.HTTP_400_BAD_REQUEST)
user.refresh_from_db()
self.assertFalse(user.is_active)
def test_signer_with_different_secret_keys(self):
user = self.create_test_user(is_active=False)
data_to_sign = {'user_id': user.pk}
secrets = [
'#0ka!t#6%28imjz+2t%l(()yu)tg93-1w%$du0*po)*@l+@+4h',
'feb7tjud7m=91$^mrk8dq&nz(0^!6+1xk)%gum#oe%(n)8jic7',
]
signatures = []
for secret in secrets:
with override_settings(SECRET_KEY=secret):
signer = RegisterSigner(data_to_sign)
data = signer.get_signed_data()
signatures.append(data[signer.SIGNATURE_FIELD])
assert signatures[0] != signatures[1]