sachet-server/tests/test_auth.py

204 lines
5.9 KiB
Python
Raw Permalink Normal View History

2023-03-10 13:57:18 -05:00
import pytest
import jwt
from sachet.server import db
from sachet.server.users import manage
2023-03-30 20:20:09 -04:00
2023-03-10 13:57:18 -05:00
def test_unauth_perms(client):
"""Test endpoints to see if they allow unauthenticated users."""
resp = client.get("/users/jeff")
assert resp.status_code == 401
2023-03-30 20:20:09 -04:00
2023-03-10 13:57:18 -05:00
def test_malformed_authorization(client):
"""Test attempting authorization incorrectly."""
# incorrect token
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
2023-03-30 20:20:09 -04:00
resp = client.get("/users/jeff", headers={"Authorization": f"bearer {token}"})
2023-03-10 13:57:18 -05:00
assert resp.status_code == 401
2023-03-10 18:32:07 -05:00
# token for incorrect user (but properly signed)
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.nZ86hUWPdG43W6HVSGFy6DJnDVOZhx8a73LhQ3gIxY8"
2023-03-30 20:20:09 -04:00
resp = client.get("/users/jeff", headers={"Authorization": f"bearer {token}"})
2023-03-10 18:32:07 -05:00
assert resp.status_code == 401
2023-03-10 13:57:18 -05:00
# invalid token
token = "not a.real JWT.token"
2023-03-30 20:20:09 -04:00
resp = client.get("/users/jeff", headers={"Authorization": f"bearer {token}"})
2023-03-10 13:57:18 -05:00
assert resp.status_code == 401
# missing token
2023-03-30 20:20:09 -04:00
resp = client.get("/users/jeff", headers={"Authorization": "bearer"})
2023-03-10 13:57:18 -05:00
assert resp.status_code == 401
2023-03-30 20:20:09 -04:00
2023-03-10 13:57:18 -05:00
def test_login(client, users):
"""Test logging in."""
# wrong password
2023-03-30 20:20:09 -04:00
resp = client.post(
"/users/login",
json={"username": "jeff", "password": users["jeff"]["password"] + "garbage"},
)
2023-03-10 13:57:18 -05:00
assert resp.status_code == 401
2023-03-10 18:32:07 -05:00
# wrong user
2023-03-30 20:20:09 -04:00
resp = client.post(
"/users/login",
json={"username": "jeffery", "password": users["jeff"]["password"] + "garbage"},
)
2023-03-10 18:32:07 -05:00
assert resp.status_code == 401
2023-03-10 13:57:18 -05:00
# logging in correctly
2023-03-30 20:20:09 -04:00
resp = client.post(
"/users/login", json={"username": "jeff", "password": users["jeff"]["password"]}
)
2023-03-10 13:57:18 -05:00
assert resp.status_code == 200
resp_json = resp.get_json()
assert resp_json.get("status") == "success"
assert resp_json.get("username") == "jeff"
token = resp_json.get("auth_token")
assert token is not None and token != ""
2023-03-10 21:55:37 -05:00
2023-04-13 13:30:53 -04:00
def test_extend(client, tokens, validate_info, auth):
2023-03-18 21:51:21 -04:00
"""Test extending the token lifespan (get a new one with later expiry)."""
# obtain new token
2023-04-15 16:33:50 -04:00
resp = client.post("/users/extend", headers=auth("jeff"))
2023-03-18 21:51:21 -04:00
assert resp.status_code == 200
resp_json = resp.get_json()
new_token = resp_json.get("auth_token")
assert new_token is not None
assert new_token is not tokens["jeff"]
# revoke old token
2023-03-30 20:20:09 -04:00
resp = client.post(
"/users/logout",
json={"token": tokens["jeff"]},
2023-04-13 13:30:53 -04:00
headers=auth("jeff"),
2023-03-18 21:51:21 -04:00
)
# log in with the new token
2023-03-30 20:20:09 -04:00
resp = client.get("/users/jeff", headers={"Authorization": f"Bearer {new_token}"})
2023-03-18 21:51:21 -04:00
assert resp.status_code == 200
resp_json = resp.get_json()
validate_info("jeff", resp_json)
2023-04-13 13:30:53 -04:00
def test_logout(client, tokens, validate_info, auth):
2023-03-10 21:55:37 -05:00
"""Test logging out."""
# unauthenticated
2023-03-30 20:20:09 -04:00
resp = client.post(
"/users/logout",
json={"token": tokens["jeff"]},
2023-03-10 21:55:37 -05:00
)
assert resp.status_code == 401
# missing token
2023-04-15 16:33:50 -04:00
resp = client.post("/users/logout", json={}, headers=auth("jeff"))
2023-03-10 21:55:37 -05:00
assert resp.status_code == 400
# invalid token
2023-03-30 20:20:09 -04:00
resp = client.post(
"/users/logout",
json={"token": "not.real.jwt"},
2023-04-13 13:30:53 -04:00
headers=auth("jeff"),
2023-03-10 21:55:37 -05:00
)
assert resp.status_code == 400
# wrong user's token
2023-03-30 20:20:09 -04:00
resp = client.post(
"/users/logout",
json={"token": tokens["administrator"]},
2023-04-13 13:30:53 -04:00
headers=auth("jeff"),
2023-03-10 21:55:37 -05:00
)
assert resp.status_code == 403
# check that we can access this endpoint before logging out
2023-04-15 16:33:50 -04:00
resp = client.get("/users/jeff", headers=auth("jeff"))
2023-03-10 21:55:37 -05:00
assert resp.status_code == 200
validate_info("jeff", resp.get_json())
# valid logout
2023-03-30 20:20:09 -04:00
resp = client.post(
"/users/logout",
json={"token": tokens["jeff"]},
2023-04-13 13:30:53 -04:00
headers=auth("jeff"),
2023-03-10 21:55:37 -05:00
)
assert resp.status_code == 200
# check that the logout worked
2023-04-15 16:33:50 -04:00
resp = client.get("/users/jeff", headers=auth("jeff"))
2023-03-10 21:55:37 -05:00
assert resp.status_code == 401
2023-03-30 20:20:09 -04:00
def test_password_change(client, tokens, users, auth):
"""Test changing passwords."""
# test that we're logged in
resp = client.get("/users/jeff", headers=auth("jeff"))
assert resp.status_code == 200
# change password
resp = client.post(
"/users/password",
json=dict(old=users["jeff"]["password"], new="new_password"),
headers=auth("jeff"),
)
assert resp.status_code == 200
# revoke old token
resp = client.post(
"/users/logout", json=dict(token=tokens["jeff"]), headers=auth("jeff")
)
assert resp.status_code == 200
# test that we're logged out
resp = client.get(
"/users/jeff", headers=auth("jeff"), json=dict(token=tokens["jeff"])
)
assert resp.status_code == 401
# sign in with new token
resp = client.post(
"/users/login", json=dict(username="jeff", password="new_password")
)
assert resp.status_code == 200
data = resp.get_json()
new_token = data.get("auth_token")
assert new_token
# test that we're logged in
resp = client.get("/users/jeff", headers=dict(Authorization=f"bearer {new_token}"))
assert resp.status_code == 200
2023-04-13 13:30:53 -04:00
def test_admin_revoke(client, tokens, validate_info, auth):
2023-03-10 21:55:37 -05:00
"""Test that an admin can revoke any token from other users."""
2023-03-30 20:20:09 -04:00
resp = client.post(
"/users/logout",
json={"token": tokens["jeff"]},
2023-04-13 13:30:53 -04:00
headers=auth("administrator"),
2023-03-10 21:55:37 -05:00
)
assert resp.status_code == 200
# check that the logout worked
2023-04-15 16:33:50 -04:00
resp = client.get("/users/jeff", headers=auth("jeff"))
2023-03-10 21:55:37 -05:00
assert resp.status_code == 401
# try revoking twice
2023-03-30 20:20:09 -04:00
resp = client.post(
"/users/logout",
json={"token": tokens["jeff"]},
2023-04-13 13:30:53 -04:00
headers=auth("administrator"),
2023-03-10 21:55:37 -05:00
)
assert resp.status_code == 400