2023-03-10 13:57:18 -05:00
|
|
|
import pytest
|
|
|
|
|
import jwt
|
|
|
|
|
from sachet.server import db
|
|
|
|
|
from sachet.server.users import manage
|
|
|
|
|
|
2023-03-30 20:20:09 -04:00
|
|
|
|
2023-03-10 18:32:07 -05:00
|
|
|
def test_reserved_users(client):
|
|
|
|
|
"""Test that the server prevents reserved endpoints from being registered as usernames."""
|
|
|
|
|
for user in ["login", "logout", "extend"]:
|
|
|
|
|
with pytest.raises(KeyError):
|
|
|
|
|
manage.create_user(False, user, "")
|
|
|
|
|
|
2023-03-30 20:20:09 -04:00
|
|
|
|
2023-03-10 13:57:18 -05:00
|
|
|
def test_unauth_perms(client):
|
|
|
|
|
"""Test endpoints to see if they allow unauthenticated users."""
|
|
|
|
|
resp = client.get("/users/jeff")
|
|
|
|
|
assert resp.status_code == 401
|
|
|
|
|
|
2023-03-30 20:20:09 -04:00
|
|
|
|
2023-03-10 13:57:18 -05:00
|
|
|
def test_malformed_authorization(client):
|
|
|
|
|
"""Test attempting authorization incorrectly."""
|
|
|
|
|
|
|
|
|
|
# incorrect token
|
|
|
|
|
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.get("/users/jeff", headers={"Authorization": f"bearer {token}"})
|
2023-03-10 13:57:18 -05:00
|
|
|
assert resp.status_code == 401
|
|
|
|
|
|
2023-03-10 18:32:07 -05:00
|
|
|
# token for incorrect user (but properly signed)
|
|
|
|
|
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.nZ86hUWPdG43W6HVSGFy6DJnDVOZhx8a73LhQ3gIxY8"
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.get("/users/jeff", headers={"Authorization": f"bearer {token}"})
|
2023-03-10 18:32:07 -05:00
|
|
|
assert resp.status_code == 401
|
|
|
|
|
|
2023-03-10 13:57:18 -05:00
|
|
|
# invalid token
|
|
|
|
|
token = "not a.real JWT.token"
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.get("/users/jeff", headers={"Authorization": f"bearer {token}"})
|
2023-03-10 13:57:18 -05:00
|
|
|
assert resp.status_code == 401
|
|
|
|
|
|
|
|
|
|
# missing token
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.get("/users/jeff", headers={"Authorization": "bearer"})
|
2023-03-10 13:57:18 -05:00
|
|
|
assert resp.status_code == 401
|
|
|
|
|
|
2023-03-30 20:20:09 -04:00
|
|
|
|
2023-03-10 13:57:18 -05:00
|
|
|
def test_login(client, users):
|
|
|
|
|
"""Test logging in."""
|
|
|
|
|
|
|
|
|
|
# wrong password
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.post(
|
|
|
|
|
"/users/login",
|
|
|
|
|
json={"username": "jeff", "password": users["jeff"]["password"] + "garbage"},
|
|
|
|
|
)
|
2023-03-10 13:57:18 -05:00
|
|
|
assert resp.status_code == 401
|
|
|
|
|
|
2023-03-10 18:32:07 -05:00
|
|
|
# wrong user
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.post(
|
|
|
|
|
"/users/login",
|
|
|
|
|
json={"username": "jeffery", "password": users["jeff"]["password"] + "garbage"},
|
|
|
|
|
)
|
2023-03-10 18:32:07 -05:00
|
|
|
assert resp.status_code == 401
|
|
|
|
|
|
2023-03-10 13:57:18 -05:00
|
|
|
# logging in correctly
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.post(
|
|
|
|
|
"/users/login", json={"username": "jeff", "password": users["jeff"]["password"]}
|
|
|
|
|
)
|
2023-03-10 13:57:18 -05:00
|
|
|
assert resp.status_code == 200
|
|
|
|
|
resp_json = resp.get_json()
|
|
|
|
|
assert resp_json.get("status") == "success"
|
|
|
|
|
assert resp_json.get("username") == "jeff"
|
|
|
|
|
token = resp_json.get("auth_token")
|
|
|
|
|
assert token is not None and token != ""
|
2023-03-10 21:55:37 -05:00
|
|
|
|
|
|
|
|
|
2023-04-13 13:30:53 -04:00
|
|
|
def test_extend(client, tokens, validate_info, auth):
|
2023-03-18 21:51:21 -04:00
|
|
|
"""Test extending the token lifespan (get a new one with later expiry)."""
|
|
|
|
|
|
|
|
|
|
# obtain new token
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.post(
|
2023-04-13 13:30:53 -04:00
|
|
|
"/users/extend", headers=auth("jeff")
|
2023-03-18 21:51:21 -04:00
|
|
|
)
|
|
|
|
|
assert resp.status_code == 200
|
|
|
|
|
resp_json = resp.get_json()
|
|
|
|
|
new_token = resp_json.get("auth_token")
|
|
|
|
|
assert new_token is not None
|
|
|
|
|
assert new_token is not tokens["jeff"]
|
|
|
|
|
|
|
|
|
|
# revoke old token
|
|
|
|
|
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.post(
|
|
|
|
|
"/users/logout",
|
|
|
|
|
json={"token": tokens["jeff"]},
|
2023-04-13 13:30:53 -04:00
|
|
|
headers=auth("jeff"),
|
2023-03-18 21:51:21 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# log in with the new token
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.get("/users/jeff", headers={"Authorization": f"Bearer {new_token}"})
|
2023-03-18 21:51:21 -04:00
|
|
|
assert resp.status_code == 200
|
|
|
|
|
resp_json = resp.get_json()
|
|
|
|
|
validate_info("jeff", resp_json)
|
|
|
|
|
|
|
|
|
|
|
2023-04-13 13:30:53 -04:00
|
|
|
def test_logout(client, tokens, validate_info, auth):
|
2023-03-10 21:55:37 -05:00
|
|
|
"""Test logging out."""
|
|
|
|
|
|
|
|
|
|
# unauthenticated
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.post(
|
|
|
|
|
"/users/logout",
|
|
|
|
|
json={"token": tokens["jeff"]},
|
2023-03-10 21:55:37 -05:00
|
|
|
)
|
|
|
|
|
assert resp.status_code == 401
|
|
|
|
|
|
|
|
|
|
# missing token
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.post(
|
2023-04-13 13:30:53 -04:00
|
|
|
"/users/logout", json={}, headers=auth("jeff")
|
2023-03-10 21:55:37 -05:00
|
|
|
)
|
|
|
|
|
assert resp.status_code == 400
|
|
|
|
|
|
|
|
|
|
# invalid token
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.post(
|
|
|
|
|
"/users/logout",
|
|
|
|
|
json={"token": "not.real.jwt"},
|
2023-04-13 13:30:53 -04:00
|
|
|
headers=auth("jeff"),
|
2023-03-10 21:55:37 -05:00
|
|
|
)
|
|
|
|
|
assert resp.status_code == 400
|
|
|
|
|
|
|
|
|
|
# wrong user's token
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.post(
|
|
|
|
|
"/users/logout",
|
|
|
|
|
json={"token": tokens["administrator"]},
|
2023-04-13 13:30:53 -04:00
|
|
|
headers=auth("jeff"),
|
2023-03-10 21:55:37 -05:00
|
|
|
)
|
|
|
|
|
assert resp.status_code == 403
|
|
|
|
|
|
|
|
|
|
# check that we can access this endpoint before logging out
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.get(
|
2023-04-13 13:30:53 -04:00
|
|
|
"/users/jeff", headers=auth("jeff")
|
2023-03-10 21:55:37 -05:00
|
|
|
)
|
|
|
|
|
assert resp.status_code == 200
|
|
|
|
|
validate_info("jeff", resp.get_json())
|
|
|
|
|
|
|
|
|
|
# valid logout
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.post(
|
|
|
|
|
"/users/logout",
|
|
|
|
|
json={"token": tokens["jeff"]},
|
2023-04-13 13:30:53 -04:00
|
|
|
headers=auth("jeff"),
|
2023-03-10 21:55:37 -05:00
|
|
|
)
|
|
|
|
|
assert resp.status_code == 200
|
|
|
|
|
|
|
|
|
|
# check that the logout worked
|
|
|
|
|
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.get(
|
2023-04-13 13:30:53 -04:00
|
|
|
"/users/jeff", headers=auth("jeff")
|
2023-03-10 21:55:37 -05:00
|
|
|
)
|
|
|
|
|
assert resp.status_code == 401
|
|
|
|
|
|
2023-03-30 20:20:09 -04:00
|
|
|
|
2023-04-13 13:30:53 -04:00
|
|
|
def test_admin_revoke(client, tokens, validate_info, auth):
|
2023-03-10 21:55:37 -05:00
|
|
|
"""Test that an admin can revoke any token from other users."""
|
|
|
|
|
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.post(
|
|
|
|
|
"/users/logout",
|
|
|
|
|
json={"token": tokens["jeff"]},
|
2023-04-13 13:30:53 -04:00
|
|
|
headers=auth("administrator"),
|
2023-03-10 21:55:37 -05:00
|
|
|
)
|
|
|
|
|
assert resp.status_code == 200
|
|
|
|
|
|
|
|
|
|
# check that the logout worked
|
|
|
|
|
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.get(
|
2023-04-13 13:30:53 -04:00
|
|
|
"/users/jeff", headers=auth("jeff")
|
2023-03-10 21:55:37 -05:00
|
|
|
)
|
|
|
|
|
assert resp.status_code == 401
|
|
|
|
|
|
|
|
|
|
# try revoking twice
|
|
|
|
|
|
2023-03-30 20:20:09 -04:00
|
|
|
resp = client.post(
|
|
|
|
|
"/users/logout",
|
|
|
|
|
json={"token": tokens["jeff"]},
|
2023-04-13 13:30:53 -04:00
|
|
|
headers=auth("administrator"),
|
2023-03-10 21:55:37 -05:00
|
|
|
)
|
|
|
|
|
assert resp.status_code == 400
|
