From 4df12f5f4eaab917855b0199fe6bd697fc37100a Mon Sep 17 00:00:00 2001 From: Leo Hemsted Date: Fri, 24 Feb 2017 16:21:41 +0000 Subject: [PATCH] ensure other 2FA pages also handle session id specifically, the 2FA page when you first create an account is different to the login 2FA page and also the 2FA page when you change your phone number is different as well --- app/main/views/two_factor.py | 3 +- app/main/views/user_profile.py | 3 + app/main/views/verify.py | 2 + app/notify_client/user_api_client.py | 2 +- tests/app/main/views/test_user_profile.py | 71 +++++++---------------- tests/app/main/views/test_verify.py | 20 +++++-- 6 files changed, 44 insertions(+), 57 deletions(-) diff --git a/app/main/views/two_factor.py b/app/main/views/two_factor.py index f36b14076..05896ee8f 100644 --- a/app/main/views/two_factor.py +++ b/app/main/views/two_factor.py @@ -26,8 +26,7 @@ def two_factor(): if form.validate_on_submit(): try: user = user_api_client.get_user(user_id) - # the user will have a new current_session_id set by the API - store it in the cookie so we can match it in - # future requests + # the user will have a new current_session_id set by the API - store it in the cookie for future requests session['current_session_id'] = user.current_session_id services = service_api_client.get_active_services({'user_id': str(user_id)}).get('data', []) # Check if coming from new password page diff --git a/app/main/views/user_profile.py b/app/main/views/user_profile.py index e59619dab..d063f9a91 100644 --- a/app/main/views/user_profile.py +++ b/app/main/views/user_profile.py @@ -177,6 +177,9 @@ def user_profile_mobile_number_confirm(): form = ConfirmMobileNumberForm(_check_code) if form.validate_on_submit(): + user = user_api_client.get_user(current_user.id) + # the user will have a new current_session_id set by the API - store it in the cookie for future requests + session['current_session_id'] = user.current_session_id mobile_number = session[NEW_MOBILE] del session[NEW_MOBILE] del session[NEW_MOBILE_PASSWORD_CONFIRMED] diff --git a/app/main/views/verify.py b/app/main/views/verify.py index fc9d48691..a3163a538 100644 --- a/app/main/views/verify.py +++ b/app/main/views/verify.py @@ -36,6 +36,8 @@ def verify(): if form.validate_on_submit(): try: user = user_api_client.get_user(user_id) + # the user will have a new current_session_id set by the API - store it in the cookie for future requests + session['current_session_id'] = user.current_session_id activated_user = user_api_client.activate_user(user) login_user(activated_user) return redirect(url_for('main.add_service', first='first')) diff --git a/app/notify_client/user_api_client.py b/app/notify_client/user_api_client.py index 66f4aad60..5306b9c22 100644 --- a/app/notify_client/user_api_client.py +++ b/app/notify_client/user_api_client.py @@ -110,7 +110,7 @@ class UserApiClient(NotifyAdminAPIClient): data = {'code_type': code_type, 'code': code} endpoint = '/user/{}/verify/code'.format(user_id) try: - resp = self.post(endpoint, data=data) + self.post(endpoint, data=data) return True, '' except HTTPError as e: if e.status_code == 400 or e.status_code == 404: diff --git a/tests/app/main/views/test_user_profile.py b/tests/app/main/views/test_user_profile.py index 8f1f2c6a4..34d551311 100644 --- a/tests/app/main/views/test_user_profile.py +++ b/tests/app/main/views/test_user_profile.py @@ -1,13 +1,14 @@ +import uuid import json + from flask import url_for from notifications_utils.url_safe_token import generate_token +from tests.conftest import api_user_active as create_user + def test_should_show_overview_page( logged_in_client, - api_user_active, - mock_login, - mock_get_user, ): response = logged_in_client.get(url_for('main.user_profile')) @@ -16,10 +17,7 @@ def test_should_show_overview_page( def test_should_show_name_page( - logged_in_client, - api_user_active, - mock_login, - mock_get_user, + logged_in_client ): response = logged_in_client.get(url_for('main.user_profile_name')) @@ -30,8 +28,6 @@ def test_should_show_name_page( def test_should_redirect_after_name_change( logged_in_client, api_user_active, - mock_login, - mock_get_user, mock_update_user_attribute, ): new_name = 'New Name' @@ -40,17 +36,12 @@ def test_should_redirect_after_name_change( 'main.user_profile_name'), data=data) assert response.status_code == 302 - assert response.location == url_for( - 'main.user_profile', _external=True) - api_user_active.name = new_name + assert response.location == url_for('main.user_profile', _external=True) assert mock_update_user_attribute.called def test_should_show_email_page( logged_in_client, - api_user_active, - mock_login, - mock_get_user, ): response = logged_in_client.get(url_for( 'main.user_profile_email')) @@ -61,7 +52,6 @@ def test_should_show_email_page( def test_should_redirect_after_email_change( logged_in_client, - api_user_active, mock_login, mock_is_email_unique, ): @@ -77,8 +67,6 @@ def test_should_redirect_after_email_change( def test_should_show_authenticate_after_email_change( logged_in_client, - api_user_active, - mock_login, ): with logged_in_client.session_transaction() as session: session['new-email'] = 'new_notify@notify.gov.uk' @@ -91,8 +79,6 @@ def test_should_show_authenticate_after_email_change( def test_should_render_change_email_continue_after_authenticate_email( logged_in_client, - api_user_active, - mock_login, mock_verify_password, mock_send_change_email_verification, ): @@ -111,7 +97,6 @@ def test_should_redirect_to_user_profile_when_user_confirms_email_link( app_, logged_in_client, api_user_active, - mock_login, mock_update_user_attribute, ): @@ -125,9 +110,6 @@ def test_should_redirect_to_user_profile_when_user_confirms_email_link( def test_should_show_mobile_number_page( logged_in_client, - api_user_active, - mock_login, - mock_get_user, ): response = logged_in_client.get(url_for('main.user_profile_mobile_number')) @@ -137,9 +119,6 @@ def test_should_show_mobile_number_page( def test_should_redirect_after_mobile_number_change( logged_in_client, - api_user_active, - mock_login, - mock_get_user, ): data = {'mobile_number': '07121231234'} response = logged_in_client.post( @@ -152,9 +131,6 @@ def test_should_redirect_after_mobile_number_change( def test_should_show_authenticate_after_mobile_number_change( logged_in_client, - api_user_active, - mock_login, - mock_get_user, ): with logged_in_client.session_transaction() as session: session['new-mob'] = '+441234123123' @@ -168,9 +144,6 @@ def test_should_show_authenticate_after_mobile_number_change( def test_should_redirect_after_mobile_number_authenticate( logged_in_client, - api_user_active, - mock_login, - mock_get_user, mock_verify_password, mock_send_verify_code, ): @@ -188,9 +161,6 @@ def test_should_redirect_after_mobile_number_authenticate( def test_should_show_confirm_after_mobile_number_change( logged_in_client, - api_user_active, - mock_login, - mock_get_user, ): with logged_in_client.session_transaction() as session: session['new-mob-password-confirmed'] = True @@ -204,29 +174,39 @@ def test_should_show_confirm_after_mobile_number_change( def test_should_redirect_after_mobile_number_confirm( logged_in_client, - api_user_active, - mock_login, - mock_get_user, + mocker, mock_update_user_attribute, mock_check_verify_code, + fake_uuid ): + user_before = create_user(fake_uuid) + user_after = create_user(fake_uuid) + user_before.current_session_id = str(uuid.UUID(int=1)) + user_after.current_session_id = str(uuid.UUID(int=2)) + + # first time (login decorator) return normally, second time (after 2FA return with new session id) + mocker.patch('app.user_api_client.get_user', side_effect=[user_before, user_after]) + with logged_in_client.session_transaction() as session: session['new-mob-password-confirmed'] = True session['new-mob'] = '+441234123123' + session['current_session_id'] = user_before.current_session_id data = {'sms_code': '12345'} response = logged_in_client.post( url_for('main.user_profile_mobile_number_confirm'), data=data) + assert response.status_code == 302 assert response.location == url_for( 'main.user_profile', _external=True) + # make sure the current_session_id has changed to what the API returned + with logged_in_client.session_transaction() as session: + assert session['current_session_id'] == user_after.current_session_id + def test_should_show_password_page( logged_in_client, - api_user_active, - mock_login, - mock_get_user, ): response = logged_in_client.get(url_for('main.user_profile_password')) @@ -236,9 +216,6 @@ def test_should_show_password_page( def test_should_redirect_after_password_change( logged_in_client, - api_user_active, - mock_login, - mock_get_user, mock_update_user_password, mock_verify_password, ): @@ -256,8 +233,6 @@ def test_should_redirect_after_password_change( def test_non_gov_user_cannot_see_change_email_link( logged_in_client, - api_nongov_user_active, - mock_login, mock_get_non_govuser, ): response = logged_in_client.get(url_for('main.user_profile')) @@ -268,8 +243,6 @@ def test_non_gov_user_cannot_see_change_email_link( def test_non_gov_user_cannot_access_change_email_page( logged_in_client, - api_nongov_user_active, - mock_login, mock_get_non_govuser, ): response = logged_in_client.get(url_for('main.user_profile_email')) diff --git a/tests/app/main/views/test_verify.py b/tests/app/main/views/test_verify.py index d5a456e1e..5c4784458 100644 --- a/tests/app/main/views/test_verify.py +++ b/tests/app/main/views/test_verify.py @@ -1,5 +1,7 @@ -from flask import url_for +import uuid +import json +from flask import url_for from bs4 import BeautifulSoup @@ -24,17 +26,28 @@ def test_should_return_verify_template( def test_should_redirect_to_add_service_when_sms_code_is_correct( client, api_user_active, - mock_get_user, + mocker, mock_update_user, mock_check_verify_code, + fake_uuid ): + api_user_active.current_session_id = str(uuid.UUID(int=1)) + mocker.patch('app.user_api_client.get_user', return_value=api_user_active) + with client.session_transaction() as session: session['user_details'] = {'email_address': api_user_active.email_address, 'id': api_user_active.id} + # user's only just created their account so no session in the cookie + session.pop('current_session_id', None) + response = client.post(url_for('main.verify'), data={'sms_code': '12345'}) assert response.status_code == 302 assert response.location == url_for('main.add_service', first='first', _external=True) + # make sure the current_session_id has changed to what the API returned + with client.session_transaction() as session: + assert session['current_session_id'] == str(uuid.UUID(int=1)) + mock_check_verify_code.assert_called_once_with(api_user_active.id, '12345', 'sms') @@ -57,7 +70,6 @@ def test_should_activate_user_after_verify( def test_should_return_200_when_sms_code_is_wrong( client, api_user_active, - mock_get_user, mock_check_verify_code_code_not_found, ): with client.session_transaction() as session: @@ -77,7 +89,6 @@ def test_verify_email_redirects_to_verify_if_token_valid( mock_send_verify_code, mock_check_verify_code, ): - import json token_data = {"user_id": api_user_pending.id, "secret_code": 12345} mocker.patch('app.main.views.verify.check_token', return_value=json.dumps(token_data)) @@ -136,7 +147,6 @@ def test_verify_email_redirects_to_sign_in_if_user_active( mock_send_verify_code, mock_check_verify_code, ): - import json token_data = {"user_id": api_user_active.id, "secret_code": 12345} mocker.patch('app.main.views.verify.check_token', return_value=json.dumps(token_data))