diff --git a/sachet/server/models.py b/sachet/server/models.py index 7ba4633..c251b77 100644 --- a/sachet/server/models.py +++ b/sachet/server/models.py @@ -48,7 +48,7 @@ def _token_decorator(require_admin, f, *args, **kwargs): "status": "fail", "message": "Malformed Authorization header." } - return jsonify(resp) + return jsonify(resp), 401 if not token: return jsonify({"status": "fail", "message": "Missing auth token"}), 401 diff --git a/tests/test_auth.py b/tests/test_auth.py index acd393b..479729d 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -3,6 +3,12 @@ import jwt from sachet.server import db from sachet.server.users import manage +def test_reserved_users(client): + """Test that the server prevents reserved endpoints from being registered as usernames.""" + for user in ["login", "logout", "extend"]: + with pytest.raises(KeyError): + manage.create_user(False, user, "") + def test_unauth_perms(client): """Test endpoints to see if they allow unauthenticated users.""" resp = client.get("/users/jeff") @@ -21,6 +27,16 @@ def test_malformed_authorization(client): ) assert resp.status_code == 401 + # token for incorrect user (but properly signed) + token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.nZ86hUWPdG43W6HVSGFy6DJnDVOZhx8a73LhQ3gIxY8" + resp = client.get( + "/users/jeff", + headers={ + "Authorization": f"bearer {token}" + } + ) + assert resp.status_code == 401 + # invalid token token = "not a.real JWT.token" resp = client.get( @@ -32,11 +48,10 @@ def test_malformed_authorization(client): assert resp.status_code == 401 # missing token - token = "not a.real JWT.token" resp = client.get( "/users/jeff", headers={ - "Authorization": "" + "Authorization": "bearer" } ) assert resp.status_code == 401 @@ -51,6 +66,13 @@ def test_login(client, users): }) assert resp.status_code == 401 + # wrong user + resp = client.post("/users/login", json={ + "username": "jeffery", + "password": users["jeff"]["password"] + "garbage" + }) + assert resp.status_code == 401 + # logging in correctly resp = client.post("/users/login", json={ "username": "jeff",