tests/app/main/views/test_two_factor.py

from flask import json, url_for

from app.main.dao import verify_codes_dao
from tests.app.main import create_test_user


def test_should_render_two_factor_page(notifications_admin, notifications_admin_db, notify_db_session):
    with notifications_admin.test_request_context():
        with notifications_admin.test_client() as client:
            # TODO this lives here until we work out how to
            # reassign the session after it is lost mid register process
            with client.session_transaction() as session:
                user = create_test_user('pending')
                session['user_email'] = user.email_address
        response = client.get(url_for('main.two_factor'))
        assert response.status_code == 200
        assert '''We've sent you a text message with a verification code.''' in response.get_data(as_text=True)


def test_should_login_user_and_redirect_to_dashboard(notifications_admin, notifications_admin_db, notify_db_session):
    with notifications_admin.test_request_context():
        with notifications_admin.test_client() as client:
            with client.session_transaction() as session:
                user = create_test_user('active')
                session['user_email'] = user.email_address
            verify_codes_dao.add_code(user_id=user.id, code='12345', code_type='sms')
            response = client.post(url_for('main.two_factor'),
                                   data={'sms_code': '12345'})

            assert response.status_code == 302
            assert response.location == url_for('main.dashboard', _external=True)


def test_should_return_200_with_sms_code_error_when_sms_code_is_wrong(notifications_admin,
                                                                      notifications_admin_db,
                                                                      notify_db_session):
    with notifications_admin.test_request_context():
        with notifications_admin.test_client() as client:
            with client.session_transaction() as session:
                user = create_test_user('active')
                session['user_email'] = user.email_address
            verify_codes_dao.add_code(user_id=user.id, code='12345', code_type='sms')
            response = client.post(url_for('main.two_factor'),
                                   data={'sms_code': '23456'})
            assert response.status_code == 200
            assert 'Code does not match' in response.get_data(as_text=True)


def test_should_login_user_when_multiple_valid_codes_exist(notifications_admin,
                                                           notifications_admin_db,
                                                           notify_db_session):
    with notifications_admin.test_request_context():
        with notifications_admin.test_client() as client:
            with client.session_transaction() as session:
                user = create_test_user('active')
                session['user_email'] = user.email_address
                verify_codes_dao.add_code(user_id=user.id, code='23456', code_type='sms')
                verify_codes_dao.add_code(user_id=user.id, code='12345', code_type='sms')
                verify_codes_dao.add_code(user_id=user.id, code='34567', code_type='sms')
            assert len(verify_codes_dao.get_codes(user_id=user.id, code_type='sms')) == 3
            response = client.post(url_for('main.two_factor'),
                                   data={'sms_code': '23456'})
            assert response.status_code == 302
            codes = verify_codes_dao.get_codes(user_id=user.id, code_type='sms')
            # query will only return codes where code_used == False
            assert len(codes) == 0
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`from flask import json, url_for`
109638656: Implementation of two factor verification Validation of the code is done in the form, when the form.validate_on_submit is called the validate code methods are called as well. 2015-12-09 11:36:57 +00:00
109526036: Persist the verify code to the db. The codes are hashed and saved to the db. The code is marked as used once a valid code is submitted. The code is valid for 1 hour. The codes are no longer saved to the session. 2015-12-10 14:48:01 +00:00			`from app.main.dao import verify_codes_dao`
			`from tests.app.main import create_test_user`
109638656: Initial implementation for two-factor 2015-12-07 16:56:11 +00:00

109526036: Persist the verify code to the db. The codes are hashed and saved to the db. The code is marked as used once a valid code is submitted. The code is valid for 1 hour. The codes are no longer saved to the session. 2015-12-10 14:48:01 +00:00			`def test_should_render_two_factor_page(notifications_admin, notifications_admin_db, notify_db_session):`
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`with notifications_admin.test_request_context():`
Fix for security hole with setting session['user_id'] before second factor of authentication has been authorised. 2016-01-07 12:43:10 +00:00			`with notifications_admin.test_client() as client:`
			`# TODO this lives here until we work out how to`
			`# reassign the session after it is lost mid register process`
			`with client.session_transaction() as session:`
			`user = create_test_user('pending')`
			`session['user_email'] = user.email_address`
			`response = client.get(url_for('main.two_factor'))`
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`assert response.status_code == 200`
			`assert '''We've sent you a text message with a verification code.''' in response.get_data(as_text=True)`
109638656: Initial implementation for two-factor 2015-12-07 16:56:11 +00:00

109526036: Persist the verify code to the db. The codes are hashed and saved to the db. The code is marked as used once a valid code is submitted. The code is valid for 1 hour. The codes are no longer saved to the session. 2015-12-10 14:48:01 +00:00			`def test_should_login_user_and_redirect_to_dashboard(notifications_admin, notifications_admin_db, notify_db_session):`
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`with notifications_admin.test_request_context():`
			`with notifications_admin.test_client() as client:`
			`with client.session_transaction() as session:`
			`user = create_test_user('active')`
Fix for security hole with setting session['user_id'] before second factor of authentication has been authorised. 2016-01-07 12:43:10 +00:00			`session['user_email'] = user.email_address`
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`verify_codes_dao.add_code(user_id=user.id, code='12345', code_type='sms')`
			`response = client.post(url_for('main.two_factor'),`
			`data={'sms_code': '12345'})`
109638656: Implement two factor verify flow When user enters valid sms code they are redirected to the dashboard. Otherwise, form errors are present. 2015-12-08 12:36:54 +00:00
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`assert response.status_code == 302`
			`assert response.location == url_for('main.dashboard', _external=True)`
109638656: Implement two factor verify flow When user enters valid sms code they are redirected to the dashboard. Otherwise, form errors are present. 2015-12-08 12:36:54 +00:00

Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`def test_should_return_200_with_sms_code_error_when_sms_code_is_wrong(notifications_admin,`
109526036: Persist the verify code to the db. The codes are hashed and saved to the db. The code is marked as used once a valid code is submitted. The code is valid for 1 hour. The codes are no longer saved to the session. 2015-12-10 14:48:01 +00:00			`notifications_admin_db,`
			`notify_db_session):`
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`with notifications_admin.test_request_context():`
			`with notifications_admin.test_client() as client:`
			`with client.session_transaction() as session:`
			`user = create_test_user('active')`
Fix for security hole with setting session['user_id'] before second factor of authentication has been authorised. 2016-01-07 12:43:10 +00:00			`session['user_email'] = user.email_address`
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`verify_codes_dao.add_code(user_id=user.id, code='12345', code_type='sms')`
			`response = client.post(url_for('main.two_factor'),`
			`data={'sms_code': '23456'})`
			`assert response.status_code == 200`
			`assert 'Code does not match' in response.get_data(as_text=True)`
110880218: Completed implementation of resend the verificaton code 2015-12-31 13:16:59 +00:00

			`def test_should_login_user_when_multiple_valid_codes_exist(notifications_admin,`
			`notifications_admin_db,`
			`notify_db_session):`
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`with notifications_admin.test_request_context():`
			`with notifications_admin.test_client() as client:`
			`with client.session_transaction() as session:`
			`user = create_test_user('active')`
Fix for security hole with setting session['user_id'] before second factor of authentication has been authorised. 2016-01-07 12:43:10 +00:00			`session['user_email'] = user.email_address`
Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00			`verify_codes_dao.add_code(user_id=user.id, code='23456', code_type='sms')`
			`verify_codes_dao.add_code(user_id=user.id, code='12345', code_type='sms')`
			`verify_codes_dao.add_code(user_id=user.id, code='34567', code_type='sms')`
			`assert len(verify_codes_dao.get_codes(user_id=user.id, code_type='sms')) == 3`
			`response = client.post(url_for('main.two_factor'),`
			`data={'sms_code': '23456'})`
			`assert response.status_code == 302`
			`codes = verify_codes_dao.get_codes(user_id=user.id, code_type='sms')`
			`# query will only return codes where code_used == False`
			`assert len(codes) == 0`