sachet-server/tests/test_auth.py

import pytest
import jwt
from sachet.server import db
from sachet.server.users import manage

def test_reserved_users(client):
    """Test that the server prevents reserved endpoints from being registered as usernames."""
    for user in ["login", "logout", "extend"]:
        with pytest.raises(KeyError):
            manage.create_user(False, user, "")

def test_unauth_perms(client):
    """Test endpoints to see if they allow unauthenticated users."""
    resp = client.get("/users/jeff")
    assert resp.status_code == 401

def test_malformed_authorization(client):
    """Test attempting authorization incorrectly."""

    # incorrect token
    token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
    resp = client.get(
        "/users/jeff",
        headers={
            "Authorization": f"bearer {token}"
        }
    )
    assert resp.status_code == 401

    # token for incorrect user (but properly signed)
    token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.nZ86hUWPdG43W6HVSGFy6DJnDVOZhx8a73LhQ3gIxY8"
    resp = client.get(
        "/users/jeff",
        headers={
            "Authorization": f"bearer {token}"
        }
    )
    assert resp.status_code == 401

    # invalid token
    token = "not a.real JWT.token"
    resp = client.get(
        "/users/jeff",
        headers={
            "Authorization": f"bearer {token}"
        }
    )
    assert resp.status_code == 401

    # missing token
    resp = client.get(
        "/users/jeff",
        headers={
            "Authorization": "bearer"
        }
    )
    assert resp.status_code == 401

def test_login(client, users):
    """Test logging in."""

    # wrong password
    resp = client.post("/users/login", json={
        "username": "jeff",
        "password": users["jeff"]["password"] + "garbage"
    })
    assert resp.status_code == 401

    # wrong user
    resp = client.post("/users/login", json={
        "username": "jeffery",
        "password": users["jeff"]["password"] + "garbage"
    })
    assert resp.status_code == 401

    # logging in correctly
    resp = client.post("/users/login", json={
        "username": "jeff",
        "password": users["jeff"]["password"]
    })
    assert resp.status_code == 200
    resp_json = resp.get_json()
    assert resp_json.get("status") == "success"
    assert resp_json.get("username") == "jeff"
    token = resp_json.get("auth_token")
    assert token is not None and token != ""


def test_extend(client, tokens, validate_info):
    """Test extending the token lifespan (get a new one with later expiry)."""

    # obtain new token
    resp = client.post("/users/extend",
        headers={
            "Authorization": f"Bearer {tokens['jeff']}"
        }
    )
    assert resp.status_code == 200
    resp_json = resp.get_json()
    new_token = resp_json.get("auth_token")
    assert new_token is not None
    assert new_token is not tokens["jeff"]

    # revoke old token

    resp = client.post("/users/logout", json={
            "token": tokens["jeff"]
        },
        headers={
            "Authorization": f"bearer {tokens['jeff']}"
        }
    )

    # log in with the new token
    resp = client.get("/users/jeff",
        headers={
            "Authorization": f"Bearer {new_token}"
        }
    )
    assert resp.status_code == 200
    resp_json = resp.get_json()
    validate_info("jeff", resp_json)


def test_logout(client, tokens, validate_info):
    """Test logging out."""

    # unauthenticated
    resp = client.post("/users/logout", json={
            "token": tokens["jeff"]
        },
    )
    assert resp.status_code == 401

    # missing token
    resp = client.post("/users/logout", json={

        },
        headers={
            "Authorization": f"bearer {tokens['jeff']}"
        }
    )
    assert resp.status_code == 400

    # invalid token
    resp = client.post("/users/logout", json={
            "token": "not.real.jwt"
        },
        headers={
            "Authorization": f"bearer {tokens['jeff']}"
        }
    )
    assert resp.status_code == 400

    # wrong user's token
    resp = client.post("/users/logout", json={
            "token": tokens["administrator"]
        },
        headers={
            "Authorization": f"bearer {tokens['jeff']}"
        }
    )
    assert resp.status_code == 403

    # check that we can access this endpoint before logging out
    resp = client.get("/users/jeff",
        headers={
            "Authorization": f"bearer {tokens['jeff']}"
        }
    )
    assert resp.status_code == 200
    validate_info("jeff", resp.get_json())

    # valid logout
    resp = client.post("/users/logout", json={
            "token": tokens["jeff"]
        },
        headers={
            "Authorization": f"bearer {tokens['jeff']}"
        }
    )
    assert resp.status_code == 200

    # check that the logout worked

    resp = client.get("/users/jeff",
        headers={
            "Authorization": f"bearer {tokens['jeff']}"
        }
    )
    assert resp.status_code == 401

def test_admin_revoke(client, tokens, validate_info):
    """Test that an admin can revoke any token from other users."""

    resp = client.post("/users/logout", json={
            "token": tokens["jeff"]
        },
        headers={
            "Authorization": f"bearer {tokens['administrator']}"
        }
    )
    assert resp.status_code == 200

    # check that the logout worked

    resp = client.get("/users/jeff",
        headers={
            "Authorization": f"bearer {tokens['jeff']}"
        }
    )
    assert resp.status_code == 401

    # try revoking twice

    resp = client.post("/users/logout", json={
            "token": tokens["jeff"]
        },
        headers={
            "Authorization": f"bearer {tokens['administrator']}"
        }
    )
    assert resp.status_code == 400
tests: added tests for authentication 2023-03-10 13:57:18 -05:00			`import pytest`
			`import jwt`
			`from sachet.server import db`
			`from sachet.server.users import manage`

tests: improved coverage 2023-03-10 18:32:07 -05:00			`def test_reserved_users(client):`
			`"""Test that the server prevents reserved endpoints from being registered as usernames."""`
			`for user in ["login", "logout", "extend"]:`
			`with pytest.raises(KeyError):`
			`manage.create_user(False, user, "")`

tests: added tests for authentication 2023-03-10 13:57:18 -05:00			`def test_unauth_perms(client):`
			`"""Test endpoints to see if they allow unauthenticated users."""`
			`resp = client.get("/users/jeff")`
			`assert resp.status_code == 401`

			`def test_malformed_authorization(client):`
			`"""Test attempting authorization incorrectly."""`

			`# incorrect token`
			`token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"`
			`resp = client.get(`
			`"/users/jeff",`
			`headers={`
			`"Authorization": f"bearer {token}"`
			`}`
			`)`
			`assert resp.status_code == 401`

tests: improved coverage 2023-03-10 18:32:07 -05:00			`# token for incorrect user (but properly signed)`
			`token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.nZ86hUWPdG43W6HVSGFy6DJnDVOZhx8a73LhQ3gIxY8"`
			`resp = client.get(`
			`"/users/jeff",`
			`headers={`
			`"Authorization": f"bearer {token}"`
			`}`
			`)`
			`assert resp.status_code == 401`

tests: added tests for authentication 2023-03-10 13:57:18 -05:00			`# invalid token`
			`token = "not a.real JWT.token"`
			`resp = client.get(`
			`"/users/jeff",`
			`headers={`
			`"Authorization": f"bearer {token}"`
			`}`
			`)`
			`assert resp.status_code == 401`

			`# missing token`
			`resp = client.get(`
			`"/users/jeff",`
			`headers={`
tests: improved coverage 2023-03-10 18:32:07 -05:00			`"Authorization": "bearer"`
tests: added tests for authentication 2023-03-10 13:57:18 -05:00			`}`
			`)`
			`assert resp.status_code == 401`

			`def test_login(client, users):`
			`"""Test logging in."""`

			`# wrong password`
			`resp = client.post("/users/login", json={`
			`"username": "jeff",`
			`"password": users["jeff"]["password"] + "garbage"`
			`})`
			`assert resp.status_code == 401`

tests: improved coverage 2023-03-10 18:32:07 -05:00			`# wrong user`
			`resp = client.post("/users/login", json={`
			`"username": "jeffery",`
			`"password": users["jeff"]["password"] + "garbage"`
			`})`
			`assert resp.status_code == 401`

tests: added tests for authentication 2023-03-10 13:57:18 -05:00			`# logging in correctly`
			`resp = client.post("/users/login", json={`
			`"username": "jeff",`
			`"password": users["jeff"]["password"]`
			`})`
			`assert resp.status_code == 200`
			`resp_json = resp.get_json()`
			`assert resp_json.get("status") == "success"`
			`assert resp_json.get("username") == "jeff"`
			`token = resp_json.get("auth_token")`
			`assert token is not None and token != ""`
authentication: added logout ability 2023-03-10 21:55:37 -05:00

auth: added /users/extend endpoint 2023-03-18 21:51:21 -04:00			`def test_extend(client, tokens, validate_info):`
			`"""Test extending the token lifespan (get a new one with later expiry)."""`

			`# obtain new token`
			`resp = client.post("/users/extend",`
			`headers={`
			`"Authorization": f"Bearer {tokens['jeff']}"`
			`}`
			`)`
			`assert resp.status_code == 200`
			`resp_json = resp.get_json()`
			`new_token = resp_json.get("auth_token")`
			`assert new_token is not None`
			`assert new_token is not tokens["jeff"]`

			`# revoke old token`

			`resp = client.post("/users/logout", json={`
			`"token": tokens["jeff"]`
			`},`
			`headers={`
			`"Authorization": f"bearer {tokens['jeff']}"`
			`}`
			`)`

			`# log in with the new token`
			`resp = client.get("/users/jeff",`
			`headers={`
			`"Authorization": f"Bearer {new_token}"`
			`}`
			`)`
			`assert resp.status_code == 200`
			`resp_json = resp.get_json()`
			`validate_info("jeff", resp_json)`


authentication: added logout ability 2023-03-10 21:55:37 -05:00			`def test_logout(client, tokens, validate_info):`
			`"""Test logging out."""`

			`# unauthenticated`
			`resp = client.post("/users/logout", json={`
			`"token": tokens["jeff"]`
			`},`
			`)`
			`assert resp.status_code == 401`

			`# missing token`
			`resp = client.post("/users/logout", json={`

			`},`
			`headers={`
			`"Authorization": f"bearer {tokens['jeff']}"`
			`}`
			`)`
			`assert resp.status_code == 400`

			`# invalid token`
			`resp = client.post("/users/logout", json={`
			`"token": "not.real.jwt"`
			`},`
			`headers={`
			`"Authorization": f"bearer {tokens['jeff']}"`
			`}`
			`)`
			`assert resp.status_code == 400`

			`# wrong user's token`
			`resp = client.post("/users/logout", json={`
			`"token": tokens["administrator"]`
			`},`
			`headers={`
			`"Authorization": f"bearer {tokens['jeff']}"`
			`}`
			`)`
			`assert resp.status_code == 403`

			`# check that we can access this endpoint before logging out`
			`resp = client.get("/users/jeff",`
			`headers={`
			`"Authorization": f"bearer {tokens['jeff']}"`
			`}`
			`)`
			`assert resp.status_code == 200`
			`validate_info("jeff", resp.get_json())`

			`# valid logout`
			`resp = client.post("/users/logout", json={`
			`"token": tokens["jeff"]`
			`},`
			`headers={`
			`"Authorization": f"bearer {tokens['jeff']}"`
			`}`
			`)`
			`assert resp.status_code == 200`

			`# check that the logout worked`

			`resp = client.get("/users/jeff",`
			`headers={`
			`"Authorization": f"bearer {tokens['jeff']}"`
			`}`
			`)`
			`assert resp.status_code == 401`

			`def test_admin_revoke(client, tokens, validate_info):`
			`"""Test that an admin can revoke any token from other users."""`

			`resp = client.post("/users/logout", json={`
			`"token": tokens["jeff"]`
			`},`
			`headers={`
			`"Authorization": f"bearer {tokens['administrator']}"`
			`}`
			`)`
			`assert resp.status_code == 200`

			`# check that the logout worked`

			`resp = client.get("/users/jeff",`
			`headers={`
			`"Authorization": f"bearer {tokens['jeff']}"`
			`}`
			`)`
			`assert resp.status_code == 401`

			`# try revoking twice`

			`resp = client.post("/users/logout", json={`
			`"token": tokens["jeff"]`
			`},`
			`headers={`
			`"Authorization": f"bearer {tokens['administrator']}"`
			`}`
			`)`
			`assert resp.status_code == 400`