def test_revokes_token_once(self):
with app.test_client() as c:
db_token = api_tokens.get_token(self.token_jti)
self.assertFalse(db_token["revoked"])
c.set_cookie("localhost", "access_token_cookie", self.token)
response = c.get(
"/organizations/%s/printers" % UUID_ORG,
headers={"x-csrf-token": self.token_csrf},
)
c.set_cookie("localhost", "access_token_cookie", TOKEN_USER)
self.assertEqual(response.status_code, 200)
response = c.delete(
"/users/me/tokens/%s" % (self.token_jti),
headers={"x-csrf-token": TOKEN_USER_CSRF},
)
self.assertEqual(response.status_code, 204)
db_token = api_tokens.get_token(self.token_jti)
self.assertTrue(db_token["revoked"])
response = c.delete(
"/users/me/tokens/%s" % (self.token_jti),
headers={"x-csrf-token": TOKEN_USER_CSRF},
)
self.assertEqual(response.status_code, 404)
c.set_cookie("localhost", "access_token_cookie", self.token)
response = c.get(
"/organizations/%s/printers" % UUID_ORG,
headers={"x-csrf-token": self.token_csrf},
)
self.assertEqual(response.status_code, 401)
def test_returns_user_role_token(self):
with app.test_client() as c:
c.set_cookie("localhost", "access_token_cookie", TOKEN_ADMIN)
response = c.post(
"users/me/tokens",
headers={"x-csrf-token": TOKEN_ADMIN_CSRF},
json={
"name": "my-pretty-token",
"organization_uuid": UUID_ORG
},
)
self.assertEqual(response.status_code, 201)
self.assertTrue("access_token" in response.json)
self.assertTrue("name" in response.json)
self.assertTrue("jti" in response.json)
self.assertTrue("refresh_token" not in response.json)
data = get_token_data(response.json["access_token"])
self.assertEqual(data["fresh"], False)
self.assertEqual(data["type"], "access")
self.assertEqual(data["identity"], UUID_ADMIN)
self.assertTrue("exp" not in data)
self.assertTrue("user_claims" in data)
self.assertTrue("system_role" not in data["user_claims"])
self.assertTrue("force_pwd_change" not in data["user_claims"])
self.assertTrue("organization_uuid" in data["user_claims"])
self.assertTrue(
data["user_claims"]["organization_uuid"] == UUID_ORG)
token = api_tokens.get_token(data["jti"])
self.assertTrue(token is not None)
self.assertEqual(token["user_uuid"], UUID_ADMIN)
def revoke_api_token(jti):
token = api_tokens.get_token(jti)
if token is None or token["revoked"]:
return abort(make_response(jsonify(message="Not found"), 404))
if get_jwt_identity() != token["user_uuid"]:
return abort(make_response(jsonify(message="Unauthorized"), 401))
api_tokens.revoke_token(jti)
return "", 204
def revoke_api_token(jti):
token = api_tokens.get_token(jti)
if token is None or token["revoked"]:
return abort(make_response("", 404))
if get_jwt_identity() != token["user_uuid"]:
return abort(make_response("", 401))
api_tokens.revoke_token(jti)
return "", 204
def check_if_token_revoked(decrypted_token):
# check only tokens without expiration, this can be extended in
# the future in exchange for a decreased performance
if "exp" not in decrypted_token:
token = api_tokens.get_token(decrypted_token["jti"])
if token and token["revoked"]:
return True
return False
def test_returns_token_list(self):
with app.test_client() as c:
c.set_cookie("localhost", "access_token_cookie", TOKEN_USER)
response = c.post(
"users/me/tokens",
headers={"x-csrf-token": TOKEN_USER_CSRF},
json={"name": "my-pretty-token"},
)
response = c.get(
"users/me/tokens", headers={"x-csrf-token": TOKEN_USER_CSRF}
)
self.assertEqual(response.status_code, 200)
self.assertTrue("items" in response.json)
for token in response.json["items"]:
db_token = api_tokens.get_token(token["jti"])
self.assertEqual(db_token["user_uuid"], UUID_USER)
self.assertFalse(db_token["revoked"])