Commit Graph

56 Commits

Author SHA1 Message Date
karlchillmaid
6c4013d207 Change 'forgot' to 'forgotten' 2020-02-24 12:00:26 +00:00
Rebecca Law
0e1ee504ac - Add unit test for when case when the cookie doesn't match the db.
- Move code into User.signout method to further encapsulate the code.
2020-02-03 15:08:55 +00:00
Rebecca Law
937c9f2adc Ensure that the session is logged out server side, not just client side.
Anytime a user clicks "sign out" we should be signing them out server side as well. This can be accomplished by setting the Users.current_session_id = null.
I found that the method User.logged_in_elsewhere doesn't need to check if the current_session_id is None. The current_session_ids in the cookie and db (redis or postgres) then the user should be forced to log in again.
2020-02-03 12:24:02 +00:00
karlchillmaid
74e9b343fd Replace haven't with have not 2019-09-23 13:22:28 +01:00
Chris Hill-Scott
92ea5894bb Add autocomplete attribute to password fields
This helps the browser autocomplete them with the right thing.

Value based on https://www.w3.org/TR/WCAG21/#input-purposes
2019-07-16 17:15:17 +01:00
Chris Hill-Scott
bd9acb1310 Make invited user model inherit from JSONModel
This is more consistent, and less fiddly that always having to call it
with a dictionary expansion.
2019-06-05 14:39:02 +01:00
Chris Hill-Scott
628e344b36 Make user API client return JSON, not a model
The data flow of other bits of our application looks like this:
```
                         API (returns JSON)
                                  ⬇
          API client (returns a built in type, usually `dict`)
                                  ⬇
          Model (returns an instance, eg of type `Service`)
                                  ⬇
                         View (returns HTML)
```
The user API client was architected weirdly, in that it returned a model
directly, like this:

```
                         API (returns JSON)
                                  ⬇
    API client (returns a model, of type `User`, `InvitedUser`, etc)
                                  ⬇
                         View (returns HTML)
```

This mixing of different layers of the application is bad because it
makes it hard to write model code that doesn’t have circular
dependencies. As our application gets more complicated we will be
relying more on models to manage this complexity, so we should make it
easy, not hard to write them.

It also means that most of our mocking was of the User model, not just
the underlying JSON. So it would have been easy to introduce subtle bugs
to the user model, because it wasn’t being comprehensively tested. A lot
of the changed lines of code in this commit mean changing the tests to
mock only the JSON, which means that the model layer gets implicitly
tested.

For those reasons this commit changes the user API client to return
JSON, not an instance of `User` or other models.
2019-06-05 11:13:41 +01:00
Chris Hill-Scott
08e9b35d7a Don’t ask for organisation type when we know it
Every time someone adds a new service we ask them what kind of
organisation they work for.

We can look this up based on the user’s email address now. So we should
only ask the question if:
- we don’t know about the organisation
- or we haven’t set what type of organisation it is (this shouldn’t be
  possible on productions because we’ve populated the column for all
  existing organisations and it’s impossible to add a new one without
  setting it
2019-04-18 14:08:13 +01:00
Chris Hill-Scott
883b07e3f0 Use client_request fixture where possible
It:
- saves repetetive boilerplate code
- does some extra checks (eg checking for a `200` response)
- makes the codebase less confusing to consistently do the same thing in
  the same way
2019-03-26 16:38:00 +00:00
Leo Hemsted
5961f470a4 don't apply marks directly in pytest
specifically - don't use `pytest.mark.xfail` directly in parametrize,
instead use `pytest.param(*args, marks=pytest.mark.xfail)`. the old way
is deprecated in pytest4 - for more information see
https://docs.pytest.org/en/latest/deprecations.html#marks-in-pytest-mark-parametrize

Also, make this an error in pytest.ini so if someone adds a new xfail,
it'll crash
2018-12-31 13:37:20 +00:00
Chris Hill-Scott
be9fb99247 Redirect signed-in users to their service
Some users are bookmarking the sign in page for quick access to their
Notify service.

If they’re already signed in when they used this bookmark they get
redirected. However the redirect isn’t very smart, because it just takes
them to their list of services. This isn’t great if they only have one
service.

This commit redirects them to the `show_accounts_or_dashboard` endpoint
instead, which does the work to figure out which page is most useful
to show someone when they sign in.

Also changing this for `/register`, although it’s less likely that
someone will have bookmarked this page.
2018-11-15 16:01:59 +00:00
Leo Hemsted
2f37e37278 rename choose_service to choose_account 2018-03-14 15:39:55 +00:00
Chris Hill-Scott
f3a0c505bd Enforce order and style of imports
Done using isort[1], with the following command:
```
isort -rc ./app ./tests
```

Adds linting to the `run_tests.sh` script to stop badly-sorted imports
getting re-introduced.

Chosen style is ‘Vertical Hanging Indent’ with trailing commas, because
I think it gives the cleanest diffs, eg:
```
from third_party import (
    lib1,
    lib2,
    lib3,
    lib4,
)
```

1. https://pypi.python.org/pypi/isort
2018-02-27 16:35:13 +00:00
Chris Hill-Scott
1908e7b091 Tell API what URL to use for email auth links
So that we can keep people on the prototype URL when doing user
research.

Depends on:
- [ ] https://github.com/alphagov/notifications-api/pull/1645
2018-02-09 15:01:20 +00:00
Katie Smith
309396c906 Make email addresses case insensitive when inviting users to services
Email addresses in invites should be case insensitive. This is to stop
the bug where a user creates their account using a lower case email
address (e.g. user1@gov.uk), but is then invited to a service using
their email address in a different case (e.g. USER1.gov.uk) and sees
an error message telling them that they can't accept an invite for a
different email address.
2018-01-02 09:26:49 +00:00
Chris Hill-Scott
d0d230f119 Remove existing whitespace stripping code
Since we’re doing this globally, we don’t need to handle it in a custom
way for the sign in form (and it’s much nicer encapsulated like this).

Also added some more extensive tests in this commit.
2017-12-14 11:06:55 +00:00
Chris Hill-Scott
bef8e8887b Strip spaces from email addresses when signing in
If you copy and paste an email address into the sign in box, there’s a
chance you’ll also copy some leading or trailing spaces. This is
especially likely to happen if you’re doing this while using your
computer upside down.

If this happens, it never even gets as far as looking up the user,
because the form validation doesn’t consider a string with a leading
space to be a valid email address.

This commit makes sure that accidental spaces are handled, by removing
them before doing any validation or hitting the API to look up the user.
2017-12-08 16:17:45 +00:00
chrisw
1effec78e5 alter login flow to allow for email auth login 2017-11-09 16:07:28 +00:00
Leo Hemsted
9fda5d1847 remove remember_me cookie and related code 2017-02-27 15:18:18 +00:00
Leo Hemsted
f14a836baa check users' session id.
when a user enters their 2FA code, the API will store a random UUID
against them in the database - this code is then stored on the cookie
on the front end.

At the beginning of each authenticated request, we do the following
steps:
  * Retrieve the user's cookie, and get the user_id from it
  * Request that user's details from the database
  * populate current_user with the DB model
  * run the login_required decorator, which calls
    current_user.is_authenticated

is_authenticated now also checks that the database model matches the
cookie for session_id. The potential states and meanings are as follows:

 database | cookie | meaning
----------+--------+---------
 None     | None   | New user, or system just been deployed.
          |        | Redirect to start page.
----------+--------+---------
 'abc'    | None   | New browser (or cleared cookies). Redirect to
          |        | start page.
----------+--------+---------
 None     | 'abc'  | Invalid state (cookie is set from user obj, so
          |        | would only happen if DB is cleared)
----------+--------+---------
 'abc'    | 'abc'  | Same browser. Business as usual
----------+--------+---------
 'abc'    | 'def'  | Different browser in cookie - db has been changed
          |        | since then. Redirect to start
2017-02-22 17:31:13 +00:00
Chris Hill-Scott
f3b0c0a556 Use client and logged_in_client fixtures
Wherever possible, because Don’t Repeat Yourself.
2017-02-06 10:44:38 +00:00
Chris Hill-Scott
929dc45224 Normalize whitespace in test arguments
We have a bunch of different styles of handling when function
definitions span multiple lines, which they almost always do with tests.

Here’s why an argument per line, single indent is best:
- cleaner diffs when you change the name of a method (one line change
  instead of multiple lines)
- works better on narrow screens, eg Github’s diff view, or with two
  terminals side by side on a laptop screen
- works with any editor’s indenting shortcuts, no need for an IDE

Also, trailing comma in the list of arguments is good because adding a
new argument to a method becomes a one line, not two line diff.
2017-02-06 10:44:37 +00:00
Leo Hemsted
805639a2e1 add test for choose services and related redirects to it
it'll just show the add service button if you only have archived services
2016-11-16 13:18:49 +00:00
Imdad Ahad
91c878a80e Remove flash banner as unncessary 2016-09-06 16:53:53 +01:00
Imdad Ahad
998d33e283 Redirect and resend verification email when pending user attempts to login 2016-09-06 15:44:33 +01:00
Henry Hadlow
36da188d04 Tidy up text on forgot your password screens 2016-05-10 11:36:49 +01:00
Adam Shimali
09117e5eeb Updated flask-login to version 0.3.2 2016-05-04 14:06:14 +01:00
Nicholas Staples
b131082f41 Updated to include corrected flash message. 2016-04-26 12:26:41 +01:00
Nicholas Staples
9225c0813c Updated msg for the failed login. 2016-04-26 12:14:06 +01:00
Adam Shimali
352f169fb1 If user is pending it means they have not verified email yet
Added better checking on re use of consumed verification link.
2016-03-29 13:12:06 +01:00
Rebecca Law
58c748e703 Noticed that the api was being called when running the unit tests.
This also lead me to find the the failed_login_in count was always returning 0.
2016-03-11 11:47:21 +00:00
Nicholas Staples
c959678c49 Remember me functionality added and tested.
Merge extra.

Fixed comment.
2016-02-24 17:32:15 +00:00
Nicholas Staples
62150e5596 Added fixes for forms to hide potential email philshing scams. 2016-01-28 16:36:36 +00:00
Adam Shimali
91465520a0 Call to client for password check incorrectly passed user instead
of user.id
2016-01-28 12:31:24 +00:00
Nicholas Staples
2d35f5f36a All tests passing and merged with master. 2016-01-27 16:30:33 +00:00
Nicholas Staples
6959d695d3 Working tests, hopefully all code changes done. 2016-01-27 12:22:32 +00:00
Adam Shimali
4674bd6b68 Reintroduce some tests. A bit of cleanup of mocks.
User object fields made a bit clearer and simple test to
verify user added.
2016-01-23 23:14:50 +00:00
Adam Shimali
ba0d0d49e1 Fixed tests 2016-01-22 19:32:08 +00:00
Adam Shimali
f8fc8e951a If user is logged in and visits / /sign-in or /register they will
be redirected to choose service.
2016-01-22 17:24:14 +00:00
Adam Shimali
167c7b0f13 Fixed some tests. Some broken mocked tests commented out until later 2016-01-21 12:31:09 +00:00
Adam Shimali
856b6adb56 First slice full sign in flow 2016-01-21 11:33:53 +00:00
Nicholas Staples
3b1d521c10 Tests added for dao. 2016-01-15 15:15:35 +00:00
Nicholas Staples
d42ee85f93 Added new notification-python-client removed check on old one, fixed tests, live service will be broken. 2016-01-14 14:55:07 +00:00
Nicholas Staples
0ebacd6929 Refactor for code_not_received, sign_in, two_factor and verify. 2016-01-05 17:08:50 +00:00
Nicholas Staples
1f520116f0 Sign in view, form and template refactored. 2016-01-05 14:30:06 +00:00
Rebecca Law
64812c1614 109898688: All codes are valid until one code is used, then they are all marked used.
Fixed the is_active() method on the Users model, if the user was pending they would come back as active, allowing a user to sign in before being active.
There is still a problem with the validate_sms_code and validate_email_code method.
2015-12-17 14:33:20 +00:00
Rebecca Law
588730d594 109526036: Persist the verify code to the db.
The codes are hashed and saved to the db.
The code is marked as used once a valid code is submitted.
The code is valid for 1 hour.
The codes are no longer saved to the session.
2015-12-10 14:48:01 +00:00
Rebecca Law
975aaf58ff 109638656: Add mocker for api client, which tries to send sms 2015-12-09 12:11:43 +00:00
Rebecca Law
229935c050 Remove test for temp_create_user, removed in previous commit. 2015-12-08 13:04:20 +00:00
Rebecca Law
e8d2a81597 108536490: Fix bug when user does not exist and tries to sign in 2015-12-01 10:35:49 +00:00