2017-11-07 16:11:31 +00:00
|
|
|
|
from bs4 import BeautifulSoup
|
2018-02-20 11:22:17 +00:00
|
|
|
|
from flask import url_for
|
2018-04-25 14:12:58 +01:00
|
|
|
|
|
2018-10-18 14:34:07 +01:00
|
|
|
|
from tests.conftest import (
|
|
|
|
|
|
SERVICE_ONE_ID,
|
|
|
|
|
|
normalize_spaces,
|
|
|
|
|
|
set_config,
|
|
|
|
|
|
url_for_endpoint_with_token,
|
|
|
|
|
|
)
|
2016-04-27 16:39:17 +01:00
|
|
|
|
|
2015-12-07 16:56:11 +00:00
|
|
|
|
|
2017-02-03 10:42:01 +00:00
|
|
|
|
def test_should_render_two_factor_page(
|
2017-02-03 12:07:21 +00:00
|
|
|
|
client,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
api_user_active,
|
|
|
|
|
|
mock_get_user_by_email,
|
|
|
|
|
|
):
|
2017-02-03 12:07:21 +00:00
|
|
|
|
# TODO this lives here until we work out how to
|
|
|
|
|
|
# reassign the session after it is lost mid register process
|
|
|
|
|
|
with client.session_transaction() as session:
|
|
|
|
|
|
session['user_details'] = {
|
|
|
|
|
|
'id': api_user_active.id,
|
|
|
|
|
|
'email': api_user_active.email_address}
|
|
|
|
|
|
response = client.get(url_for('main.two_factor'))
|
|
|
|
|
|
assert response.status_code == 200
|
2018-05-07 22:26:24 +01:00
|
|
|
|
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
|
|
|
|
|
|
assert page.select_one('main p').text.strip() == (
|
|
|
|
|
|
'We’ve sent you a text message with a security code.'
|
|
|
|
|
|
)
|
2018-05-07 22:57:18 +01:00
|
|
|
|
assert page.select_one('label').text.strip(
|
|
|
|
|
|
'Text message code'
|
|
|
|
|
|
)
|
2018-05-07 22:26:24 +01:00
|
|
|
|
assert page.select_one('input')['type'] == 'tel'
|
|
|
|
|
|
assert page.select_one('input')['pattern'] == '[0-9]*'
|
2015-12-07 16:56:11 +00:00
|
|
|
|
|
|
|
|
|
|
|
2017-02-03 10:42:01 +00:00
|
|
|
|
def test_should_login_user_and_should_redirect_to_next_url(
|
2017-02-03 12:07:21 +00:00
|
|
|
|
client,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
api_user_active,
|
|
|
|
|
|
mock_get_user,
|
|
|
|
|
|
mock_get_user_by_email,
|
|
|
|
|
|
mock_check_verify_code,
|
2018-05-02 10:27:01 +01:00
|
|
|
|
mock_create_event,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
):
|
2017-02-03 12:07:21 +00:00
|
|
|
|
with client.session_transaction() as session:
|
|
|
|
|
|
session['user_details'] = {
|
|
|
|
|
|
'id': api_user_active.id,
|
|
|
|
|
|
'email': api_user_active.email_address}
|
2018-02-14 10:38:00 +00:00
|
|
|
|
response = client.post(url_for('main.two_factor', next='/services/{}'.format(SERVICE_ONE_ID)),
|
2017-02-03 12:07:21 +00:00
|
|
|
|
data={'sms_code': '12345'})
|
|
|
|
|
|
assert response.status_code == 302
|
|
|
|
|
|
assert response.location == url_for(
|
|
|
|
|
|
'main.service_dashboard',
|
|
|
|
|
|
service_id=SERVICE_ONE_ID,
|
|
|
|
|
|
_external=True
|
2017-10-18 14:51:26 +01:00
|
|
|
|
)
|
2016-03-14 16:30:48 +00:00
|
|
|
|
|
|
|
|
|
|
|
2017-02-03 10:42:01 +00:00
|
|
|
|
def test_should_login_user_and_not_redirect_to_external_url(
|
2017-02-03 12:07:21 +00:00
|
|
|
|
client,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
api_user_active,
|
|
|
|
|
|
mock_get_user,
|
|
|
|
|
|
mock_get_user_by_email,
|
|
|
|
|
|
mock_check_verify_code,
|
|
|
|
|
|
mock_get_services_with_one_service,
|
2018-05-02 10:27:01 +01:00
|
|
|
|
mock_create_event,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
):
|
2017-02-03 12:07:21 +00:00
|
|
|
|
with client.session_transaction() as session:
|
|
|
|
|
|
session['user_details'] = {
|
|
|
|
|
|
'id': api_user_active.id,
|
|
|
|
|
|
'email': api_user_active.email_address}
|
|
|
|
|
|
response = client.post(url_for('main.two_factor', next='http://www.google.com'),
|
|
|
|
|
|
data={'sms_code': '12345'})
|
|
|
|
|
|
assert response.status_code == 302
|
2018-03-19 16:38:57 +00:00
|
|
|
|
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
|
2016-02-05 14:25:48 +00:00
|
|
|
|
|
|
|
|
|
|
|
2018-03-19 16:38:57 +00:00
|
|
|
|
def test_should_login_user_and_redirect_to_show_accounts(
|
2017-02-03 12:07:21 +00:00
|
|
|
|
client,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
api_user_active,
|
|
|
|
|
|
mock_get_user,
|
|
|
|
|
|
mock_get_user_by_email,
|
|
|
|
|
|
mock_check_verify_code,
|
2018-05-02 10:27:01 +01:00
|
|
|
|
mock_create_event,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
):
|
2017-02-03 12:07:21 +00:00
|
|
|
|
with client.session_transaction() as session:
|
|
|
|
|
|
session['user_details'] = {
|
|
|
|
|
|
'id': api_user_active.id,
|
|
|
|
|
|
'email': api_user_active.email_address}
|
|
|
|
|
|
response = client.post(url_for('main.two_factor'),
|
|
|
|
|
|
data={'sms_code': '12345'})
|
2015-12-08 12:36:54 +00:00
|
|
|
|
|
2017-02-03 12:07:21 +00:00
|
|
|
|
assert response.status_code == 302
|
2018-03-19 16:38:57 +00:00
|
|
|
|
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
|
2015-12-08 12:36:54 +00:00
|
|
|
|
|
|
|
|
|
|
|
2017-02-03 10:42:01 +00:00
|
|
|
|
def test_should_return_200_with_sms_code_error_when_sms_code_is_wrong(
|
2017-02-03 12:07:21 +00:00
|
|
|
|
client,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
api_user_active,
|
|
|
|
|
|
mock_get_user_by_email,
|
|
|
|
|
|
mock_check_verify_code_code_not_found,
|
|
|
|
|
|
):
|
2017-02-03 12:07:21 +00:00
|
|
|
|
with client.session_transaction() as session:
|
|
|
|
|
|
session['user_details'] = {
|
|
|
|
|
|
'id': api_user_active.id,
|
|
|
|
|
|
'email': api_user_active.email_address}
|
|
|
|
|
|
response = client.post(url_for('main.two_factor'),
|
|
|
|
|
|
data={'sms_code': '23456'})
|
|
|
|
|
|
assert response.status_code == 200
|
|
|
|
|
|
assert 'Code not found' in response.get_data(as_text=True)
|
2015-12-31 13:16:59 +00:00
|
|
|
|
|
|
|
|
|
|
|
2017-02-03 10:42:01 +00:00
|
|
|
|
def test_should_login_user_when_multiple_valid_codes_exist(
|
2017-02-03 12:07:21 +00:00
|
|
|
|
client,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
api_user_active,
|
|
|
|
|
|
mock_get_user,
|
|
|
|
|
|
mock_get_user_by_email,
|
|
|
|
|
|
mock_check_verify_code,
|
|
|
|
|
|
mock_get_services_with_one_service,
|
2018-05-02 10:27:01 +01:00
|
|
|
|
mock_create_event,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
):
|
2017-02-03 12:07:21 +00:00
|
|
|
|
with client.session_transaction() as session:
|
|
|
|
|
|
session['user_details'] = {
|
|
|
|
|
|
'id': api_user_active.id,
|
|
|
|
|
|
'email': api_user_active.email_address}
|
|
|
|
|
|
response = client.post(url_for('main.two_factor'),
|
|
|
|
|
|
data={'sms_code': '23456'})
|
|
|
|
|
|
assert response.status_code == 302
|
2016-02-23 15:45:19 +00:00
|
|
|
|
|
|
|
|
|
|
|
2017-02-03 10:42:01 +00:00
|
|
|
|
def test_two_factor_should_set_password_when_new_password_exists_in_session(
|
2017-02-03 12:07:21 +00:00
|
|
|
|
client,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
api_user_active,
|
|
|
|
|
|
mock_get_user,
|
|
|
|
|
|
mock_check_verify_code,
|
|
|
|
|
|
mock_get_services_with_one_service,
|
2017-02-20 14:55:28 +00:00
|
|
|
|
mock_update_user_password,
|
2018-05-02 10:27:01 +01:00
|
|
|
|
mock_create_event,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
):
|
2017-02-03 12:07:21 +00:00
|
|
|
|
with client.session_transaction() as session:
|
|
|
|
|
|
session['user_details'] = {
|
|
|
|
|
|
'id': api_user_active.id,
|
|
|
|
|
|
'email': api_user_active.email_address,
|
|
|
|
|
|
'password': 'changedpassword'}
|
|
|
|
|
|
|
|
|
|
|
|
response = client.post(url_for('main.two_factor'),
|
|
|
|
|
|
data={'sms_code': '12345'})
|
|
|
|
|
|
assert response.status_code == 302
|
2018-03-19 16:38:57 +00:00
|
|
|
|
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
|
|
|
|
|
|
|
2017-02-20 14:55:28 +00:00
|
|
|
|
mock_update_user_password.assert_called_once_with(api_user_active.id, password='changedpassword')
|
2017-02-15 14:56:22 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_two_factor_returns_error_when_user_is_locked(
|
|
|
|
|
|
client,
|
|
|
|
|
|
api_user_locked,
|
|
|
|
|
|
mock_get_locked_user,
|
2017-02-28 14:41:31 +00:00
|
|
|
|
mock_check_verify_code_code_not_found,
|
2017-02-15 14:56:22 +00:00
|
|
|
|
mock_get_services_with_one_service
|
|
|
|
|
|
):
|
|
|
|
|
|
with client.session_transaction() as session:
|
|
|
|
|
|
session['user_details'] = {
|
|
|
|
|
|
'id': api_user_locked.id,
|
|
|
|
|
|
'email': api_user_locked.email_address,
|
|
|
|
|
|
}
|
|
|
|
|
|
response = client.post(url_for('main.two_factor'),
|
|
|
|
|
|
data={'sms_code': '12345'})
|
|
|
|
|
|
assert response.status_code == 200
|
|
|
|
|
|
assert 'Code not found' in response.get_data(as_text=True)
|
2016-06-06 14:46:16 +01:00
|
|
|
|
|
|
|
|
|
|
|
2017-02-03 10:42:01 +00:00
|
|
|
|
def test_two_factor_should_redirect_to_sign_in_if_user_not_in_session(
|
2017-02-03 12:07:21 +00:00
|
|
|
|
client,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
api_user_active,
|
|
|
|
|
|
mock_get_user,
|
|
|
|
|
|
):
|
2017-02-03 12:07:21 +00:00
|
|
|
|
response = client.post(url_for('main.two_factor'),
|
|
|
|
|
|
data={'sms_code': '12345'})
|
|
|
|
|
|
assert response.status_code == 302
|
|
|
|
|
|
assert response.location == url_for('main.sign_in', _external=True)
|
2016-09-09 15:22:56 +01:00
|
|
|
|
|
|
|
|
|
|
|
2017-02-03 10:42:01 +00:00
|
|
|
|
def test_two_factor_should_activate_pending_user(
|
2017-02-03 12:07:21 +00:00
|
|
|
|
client,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
mocker,
|
|
|
|
|
|
api_user_pending,
|
|
|
|
|
|
mock_check_verify_code,
|
2018-05-02 10:27:01 +01:00
|
|
|
|
mock_create_event,
|
2017-11-09 12:30:12 +00:00
|
|
|
|
mock_activate_user,
|
2017-02-03 10:42:01 +00:00
|
|
|
|
):
|
2016-09-09 15:22:56 +01:00
|
|
|
|
mocker.patch('app.user_api_client.get_user', return_value=api_user_pending)
|
|
|
|
|
|
mocker.patch('app.service_api_client.get_services', return_value={'data': []})
|
2017-02-03 12:07:21 +00:00
|
|
|
|
with client.session_transaction() as session:
|
|
|
|
|
|
session['user_details'] = {
|
|
|
|
|
|
'id': api_user_pending.id,
|
|
|
|
|
|
'email_address': api_user_pending.email_address
|
|
|
|
|
|
}
|
|
|
|
|
|
client.post(url_for('main.two_factor'), data={'sms_code': '12345'})
|
|
|
|
|
|
|
2017-11-09 12:30:12 +00:00
|
|
|
|
assert mock_activate_user.called
|
2017-02-03 12:07:21 +00:00
|
|
|
|
assert api_user_pending.is_active
|
2017-11-07 16:11:31 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_valid_two_factor_email_link_logs_in_user(
|
|
|
|
|
|
client,
|
|
|
|
|
|
valid_token,
|
|
|
|
|
|
mock_get_user,
|
|
|
|
|
|
mock_get_services_with_one_service,
|
2018-05-02 10:27:01 +01:00
|
|
|
|
mocker,
|
|
|
|
|
|
mock_create_event,
|
2017-11-07 16:11:31 +00:00
|
|
|
|
):
|
|
|
|
|
|
mocker.patch('app.user_api_client.check_verify_code', return_value=(True, ''))
|
|
|
|
|
|
|
|
|
|
|
|
response = client.get(
|
2018-10-18 14:34:07 +01:00
|
|
|
|
url_for_endpoint_with_token('main.two_factor_email', token=valid_token),
|
2017-11-07 16:11:31 +00:00
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
assert response.status_code == 302
|
2018-03-19 16:38:57 +00:00
|
|
|
|
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
|
2017-11-07 16:11:31 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_two_factor_email_link_has_expired(
|
|
|
|
|
|
app_,
|
|
|
|
|
|
valid_token,
|
|
|
|
|
|
client,
|
|
|
|
|
|
mock_send_verify_code,
|
|
|
|
|
|
fake_uuid
|
|
|
|
|
|
):
|
|
|
|
|
|
|
|
|
|
|
|
with set_config(app_, 'EMAIL_2FA_EXPIRY_SECONDS', -1):
|
|
|
|
|
|
response = client.get(
|
2018-10-18 14:34:07 +01:00
|
|
|
|
url_for_endpoint_with_token('main.two_factor_email', token=valid_token),
|
2017-11-07 16:11:31 +00:00
|
|
|
|
follow_redirects=True,
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
assert response.status_code == 200
|
|
|
|
|
|
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
|
|
|
|
|
|
|
2019-01-15 16:32:26 +00:00
|
|
|
|
assert page.h1.text.strip() == 'The link has expired'
|
|
|
|
|
|
mock_send_verify_code.assert_not_called
|
2017-11-07 16:11:31 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_two_factor_email_link_is_invalid(
|
|
|
|
|
|
client
|
|
|
|
|
|
):
|
|
|
|
|
|
token = 12345
|
|
|
|
|
|
response = client.get(
|
|
|
|
|
|
url_for('main.two_factor_email', token=token),
|
|
|
|
|
|
follow_redirects=True
|
|
|
|
|
|
)
|
|
|
|
|
|
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
|
|
|
|
|
|
assert normalize_spaces(
|
|
|
|
|
|
page.select_one('.banner-dangerous').text
|
|
|
|
|
|
) == "There’s something wrong with the link you’ve used."
|
|
|
|
|
|
assert response.status_code == 404
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_two_factor_email_link_is_already_used(
|
|
|
|
|
|
client,
|
|
|
|
|
|
valid_token,
|
2017-11-09 17:06:24 +00:00
|
|
|
|
mocker,
|
|
|
|
|
|
mock_send_verify_code
|
|
|
|
|
|
|
2017-11-07 16:11:31 +00:00
|
|
|
|
):
|
|
|
|
|
|
mocker.patch('app.user_api_client.check_verify_code', return_value=(False, 'Code has expired'))
|
|
|
|
|
|
|
|
|
|
|
|
response = client.get(
|
2018-10-18 14:34:07 +01:00
|
|
|
|
url_for_endpoint_with_token('main.two_factor_email', token=valid_token),
|
2017-11-07 16:11:31 +00:00
|
|
|
|
follow_redirects=True
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
|
|
|
|
|
|
assert response.status_code == 200
|
|
|
|
|
|
|
2019-01-15 16:32:26 +00:00
|
|
|
|
assert page.h1.text.strip() == 'The link has expired'
|
|
|
|
|
|
mock_send_verify_code.assert_not_called
|
|
|
|
|
|
|
2017-11-07 16:11:31 +00:00
|
|
|
|
|
|
|
|
|
|
def test_two_factor_email_link_when_user_is_locked_out(
|
|
|
|
|
|
client,
|
|
|
|
|
|
valid_token,
|
2017-11-09 17:06:24 +00:00
|
|
|
|
mocker,
|
|
|
|
|
|
mock_send_verify_code
|
2017-11-07 16:11:31 +00:00
|
|
|
|
):
|
|
|
|
|
|
mocker.patch('app.user_api_client.check_verify_code', return_value=(False, 'Code not found'))
|
|
|
|
|
|
|
|
|
|
|
|
response = client.get(
|
2018-10-18 14:34:07 +01:00
|
|
|
|
url_for_endpoint_with_token('main.two_factor_email', token=valid_token),
|
2017-11-07 16:11:31 +00:00
|
|
|
|
follow_redirects=True
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
|
|
|
|
|
|
assert response.status_code == 200
|
|
|
|
|
|
|
2019-01-15 16:32:26 +00:00
|
|
|
|
assert page.h1.text.strip() == 'The link has expired'
|
|
|
|
|
|
mock_send_verify_code.assert_not_called
|
|
|
|
|
|
|
2017-11-07 16:11:31 +00:00
|
|
|
|
|
|
|
|
|
|
def test_two_factor_email_link_used_when_user_already_logged_in(
|
|
|
|
|
|
logged_in_client,
|
|
|
|
|
|
valid_token
|
|
|
|
|
|
):
|
|
|
|
|
|
response = logged_in_client.get(
|
2018-10-18 14:34:07 +01:00
|
|
|
|
url_for_endpoint_with_token('main.two_factor_email', token=valid_token)
|
2017-11-07 16:11:31 +00:00
|
|
|
|
)
|
|
|
|
|
|
assert response.status_code == 302
|
2018-03-19 16:38:57 +00:00
|
|
|
|
assert response.location == url_for('main.show_accounts_or_dashboard', _external=True)
|