sachet-server/tests/test_auth.py

224 lines
5.9 KiB
Python

import pytest
import jwt
from sachet.server import db
from sachet.server.users import manage
def test_reserved_users(client):
"""Test that the server prevents reserved endpoints from being registered as usernames."""
for user in ["login", "logout", "extend"]:
with pytest.raises(KeyError):
manage.create_user(False, user, "")
def test_unauth_perms(client):
"""Test endpoints to see if they allow unauthenticated users."""
resp = client.get("/users/jeff")
assert resp.status_code == 401
def test_malformed_authorization(client):
"""Test attempting authorization incorrectly."""
# incorrect token
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
resp = client.get(
"/users/jeff",
headers={
"Authorization": f"bearer {token}"
}
)
assert resp.status_code == 401
# token for incorrect user (but properly signed)
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.nZ86hUWPdG43W6HVSGFy6DJnDVOZhx8a73LhQ3gIxY8"
resp = client.get(
"/users/jeff",
headers={
"Authorization": f"bearer {token}"
}
)
assert resp.status_code == 401
# invalid token
token = "not a.real JWT.token"
resp = client.get(
"/users/jeff",
headers={
"Authorization": f"bearer {token}"
}
)
assert resp.status_code == 401
# missing token
resp = client.get(
"/users/jeff",
headers={
"Authorization": "bearer"
}
)
assert resp.status_code == 401
def test_login(client, users):
"""Test logging in."""
# wrong password
resp = client.post("/users/login", json={
"username": "jeff",
"password": users["jeff"]["password"] + "garbage"
})
assert resp.status_code == 401
# wrong user
resp = client.post("/users/login", json={
"username": "jeffery",
"password": users["jeff"]["password"] + "garbage"
})
assert resp.status_code == 401
# logging in correctly
resp = client.post("/users/login", json={
"username": "jeff",
"password": users["jeff"]["password"]
})
assert resp.status_code == 200
resp_json = resp.get_json()
assert resp_json.get("status") == "success"
assert resp_json.get("username") == "jeff"
token = resp_json.get("auth_token")
assert token is not None and token != ""
def test_extend(client, tokens, validate_info):
"""Test extending the token lifespan (get a new one with later expiry)."""
# obtain new token
resp = client.post("/users/extend",
headers={
"Authorization": f"Bearer {tokens['jeff']}"
}
)
assert resp.status_code == 200
resp_json = resp.get_json()
new_token = resp_json.get("auth_token")
assert new_token is not None
assert new_token is not tokens["jeff"]
# revoke old token
resp = client.post("/users/logout", json={
"token": tokens["jeff"]
},
headers={
"Authorization": f"bearer {tokens['jeff']}"
}
)
# log in with the new token
resp = client.get("/users/jeff",
headers={
"Authorization": f"Bearer {new_token}"
}
)
assert resp.status_code == 200
resp_json = resp.get_json()
validate_info("jeff", resp_json)
def test_logout(client, tokens, validate_info):
"""Test logging out."""
# unauthenticated
resp = client.post("/users/logout", json={
"token": tokens["jeff"]
},
)
assert resp.status_code == 401
# missing token
resp = client.post("/users/logout", json={
},
headers={
"Authorization": f"bearer {tokens['jeff']}"
}
)
assert resp.status_code == 400
# invalid token
resp = client.post("/users/logout", json={
"token": "not.real.jwt"
},
headers={
"Authorization": f"bearer {tokens['jeff']}"
}
)
assert resp.status_code == 400
# wrong user's token
resp = client.post("/users/logout", json={
"token": tokens["administrator"]
},
headers={
"Authorization": f"bearer {tokens['jeff']}"
}
)
assert resp.status_code == 403
# check that we can access this endpoint before logging out
resp = client.get("/users/jeff",
headers={
"Authorization": f"bearer {tokens['jeff']}"
}
)
assert resp.status_code == 200
validate_info("jeff", resp.get_json())
# valid logout
resp = client.post("/users/logout", json={
"token": tokens["jeff"]
},
headers={
"Authorization": f"bearer {tokens['jeff']}"
}
)
assert resp.status_code == 200
# check that the logout worked
resp = client.get("/users/jeff",
headers={
"Authorization": f"bearer {tokens['jeff']}"
}
)
assert resp.status_code == 401
def test_admin_revoke(client, tokens, validate_info):
"""Test that an admin can revoke any token from other users."""
resp = client.post("/users/logout", json={
"token": tokens["jeff"]
},
headers={
"Authorization": f"bearer {tokens['administrator']}"
}
)
assert resp.status_code == 200
# check that the logout worked
resp = client.get("/users/jeff",
headers={
"Authorization": f"bearer {tokens['jeff']}"
}
)
assert resp.status_code == 401
# try revoking twice
resp = client.post("/users/logout", json={
"token": tokens["jeff"]
},
headers={
"Authorization": f"bearer {tokens['administrator']}"
}
)
assert resp.status_code == 400