From e9adf91a278c0f3b2ce99bb6da9065f946d8df60 Mon Sep 17 00:00:00 2001 From: Matt Wright Date: Tue, 14 Aug 2012 14:27:58 -0400 Subject: [PATCH] More and more test coverage --- flask_security/decorators.py | 10 +++------- tests/functional_tests.py | 36 ++++++++++++++++++++++++++++++++++-- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/flask_security/decorators.py b/flask_security/decorators.py index 400cb0e..82ac8e5 100644 --- a/flask_security/decorators.py +++ b/flask_security/decorators.py @@ -14,6 +14,7 @@ from functools import wraps from flask import current_app, Response, request, redirect from flask.ext.login import login_required, login_url, current_user from flask.ext.principal import RoleNeed, Permission, Identity, identity_changed +from itsdangerous import BadSignature from werkzeug.local import LocalProxy from . import utils @@ -57,13 +58,8 @@ def _check_token(): try: data = serializer.loads(token) - user = _security.datastore.find_user(id=data[0], - authentication_token=token) - - if data[1] != utils.md5(user.email): - raise Exception() - - except Exception: + _security.datastore.find_user(id=data[0], authentication_token=token) + except BadSignature: return False return True diff --git a/tests/functional_tests.py b/tests/functional_tests.py index cba617a..a13ba43 100644 --- a/tests/functional_tests.py +++ b/tests/functional_tests.py @@ -27,6 +27,11 @@ def get_cookies(rv): class DefaultSecurityTests(SecurityTest): + def test_instance(self): + self.assertIsNotNone(self.app) + self.assertIsNotNone(self.app.security) + self.assertIsNotNone(self.app.security.pwd_context) + def test_login_view(self): r = self._get('/login') self.assertIn('Login Page', r.data) @@ -145,7 +150,15 @@ class DefaultSecurityTests(SecurityTest): }) self.assertIn('HTTP Authentication', r.data) - def test_invalid_http_auth(self): + def test_invalid_http_auth_invalid_username(self): + r = self._get('/http', headers={ + 'Authorization': 'Basic ' + base64.b64encode("bogus:bogus") + }) + self.assertIn('

Unauthorized

', r.data) + self.assertIn('WWW-Authenticate', r.headers) + self.assertEquals('Basic realm="Login Required"', r.headers['WWW-Authenticate']) + + def test_invalid_http_auth_bad_password(self): r = self._get('/http', headers={ 'Authorization': 'Basic ' + base64.b64encode("joe@lp.com:bogus") }) @@ -249,6 +262,12 @@ class ConfirmableTests(SecurityTest): 'SECURITY_REGISTERABLE': True } + def test_login_before_confirmation(self): + e = 'dude@lp.com' + self.register(e) + r = self.authenticate(email=e) + self.assertIn('Account requires confirmation', r.data) + def test_register_sends_confirmation_email(self): e = 'dude@lp.com' with self.app.mail.record_messages() as outbox: @@ -282,6 +301,12 @@ class ConfirmableTests(SecurityTest): r = self.client.get('/confirm/bogus', follow_redirects=True) self.assertIn('Invalid confirmation token', r.data) + def test_resend_confirmation(self): + e = 'dude@lp.com' + self.register(e) + r = self._post('/confirm', data={'email': e}) + self.assertIn('A new confirmation code has been sent to dude@lp.com', r.data) + class ExpiredConfirmationTest(SecurityTest): AUTH_CONFIG = { @@ -352,7 +377,7 @@ class RecoverableTests(SecurityTest): follow_redirects=True) t = requests[0]['token'] - r = self.client.post('/reset/' + t, data={ + r = self._post('/reset/' + t, data={ 'password': 'newpassword', 'password_confirm': 'newpassword' }, follow_redirects=True) @@ -360,6 +385,13 @@ class RecoverableTests(SecurityTest): r = self.authenticate('joe@lp.com', 'newpassword') self.assertIn('Hello joe@lp.com', r.data) + def test_reset_password_with_invalid_token(self): + r = self._post('/reset/bogus', data={ + 'password': 'newpassword', + 'password_confirm': 'newpassword' + }, follow_redirects=True) + self.assertIn('Invalid reset password token', r.data) + def test_reset_password_twice_flashes_invalid_token_msg(self): with capture_reset_password_requests() as requests: self.client.post('/reset', data=dict(email='joe@lp.com'))