diff --git a/flask_security/decorators.py b/flask_security/decorators.py
index 400cb0e..82ac8e5 100644
--- a/flask_security/decorators.py
+++ b/flask_security/decorators.py
@@ -14,6 +14,7 @@ from functools import wraps
from flask import current_app, Response, request, redirect
from flask.ext.login import login_required, login_url, current_user
from flask.ext.principal import RoleNeed, Permission, Identity, identity_changed
+from itsdangerous import BadSignature
from werkzeug.local import LocalProxy
from . import utils
@@ -57,13 +58,8 @@ def _check_token():
try:
data = serializer.loads(token)
- user = _security.datastore.find_user(id=data[0],
- authentication_token=token)
-
- if data[1] != utils.md5(user.email):
- raise Exception()
-
- except Exception:
+ _security.datastore.find_user(id=data[0], authentication_token=token)
+ except BadSignature:
return False
return True
diff --git a/tests/functional_tests.py b/tests/functional_tests.py
index cba617a..a13ba43 100644
--- a/tests/functional_tests.py
+++ b/tests/functional_tests.py
@@ -27,6 +27,11 @@ def get_cookies(rv):
class DefaultSecurityTests(SecurityTest):
+ def test_instance(self):
+ self.assertIsNotNone(self.app)
+ self.assertIsNotNone(self.app.security)
+ self.assertIsNotNone(self.app.security.pwd_context)
+
def test_login_view(self):
r = self._get('/login')
self.assertIn('Login Page', r.data)
@@ -145,7 +150,15 @@ class DefaultSecurityTests(SecurityTest):
})
self.assertIn('HTTP Authentication', r.data)
- def test_invalid_http_auth(self):
+ def test_invalid_http_auth_invalid_username(self):
+ r = self._get('/http', headers={
+ 'Authorization': 'Basic ' + base64.b64encode("bogus:bogus")
+ })
+ self.assertIn('
Unauthorized
', r.data)
+ self.assertIn('WWW-Authenticate', r.headers)
+ self.assertEquals('Basic realm="Login Required"', r.headers['WWW-Authenticate'])
+
+ def test_invalid_http_auth_bad_password(self):
r = self._get('/http', headers={
'Authorization': 'Basic ' + base64.b64encode("joe@lp.com:bogus")
})
@@ -249,6 +262,12 @@ class ConfirmableTests(SecurityTest):
'SECURITY_REGISTERABLE': True
}
+ def test_login_before_confirmation(self):
+ e = 'dude@lp.com'
+ self.register(e)
+ r = self.authenticate(email=e)
+ self.assertIn('Account requires confirmation', r.data)
+
def test_register_sends_confirmation_email(self):
e = 'dude@lp.com'
with self.app.mail.record_messages() as outbox:
@@ -282,6 +301,12 @@ class ConfirmableTests(SecurityTest):
r = self.client.get('/confirm/bogus', follow_redirects=True)
self.assertIn('Invalid confirmation token', r.data)
+ def test_resend_confirmation(self):
+ e = 'dude@lp.com'
+ self.register(e)
+ r = self._post('/confirm', data={'email': e})
+ self.assertIn('A new confirmation code has been sent to dude@lp.com', r.data)
+
class ExpiredConfirmationTest(SecurityTest):
AUTH_CONFIG = {
@@ -352,7 +377,7 @@ class RecoverableTests(SecurityTest):
follow_redirects=True)
t = requests[0]['token']
- r = self.client.post('/reset/' + t, data={
+ r = self._post('/reset/' + t, data={
'password': 'newpassword',
'password_confirm': 'newpassword'
}, follow_redirects=True)
@@ -360,6 +385,13 @@ class RecoverableTests(SecurityTest):
r = self.authenticate('joe@lp.com', 'newpassword')
self.assertIn('Hello joe@lp.com', r.data)
+ def test_reset_password_with_invalid_token(self):
+ r = self._post('/reset/bogus', data={
+ 'password': 'newpassword',
+ 'password_confirm': 'newpassword'
+ }, follow_redirects=True)
+ self.assertIn('Invalid reset password token', r.data)
+
def test_reset_password_twice_flashes_invalid_token_msg(self):
with capture_reset_password_requests() as requests:
self.client.post('/reset', data=dict(email='joe@lp.com'))