darkhelm/notifications-admin
1
0
Fork 0
mirror of https://github.com/GSA/notifications-admin.git synced 2026-02-21 02:44:42 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
203393de235631db0ce3c38dec85da170a634fba
notifications-admin/tests/app/main/views/test_new_password.py
Tom Byers 29c46a27f8 Stop url_for double-encoding .'s in password test 
One of the changes this pulls in is encoding of
periods in the token used for new password
requests.

In real-life the resulting URL is build by
concatenating the base url with the token so it
isn't processed further.

The test for new password requests builds the URL
with url_for. This encodes the result returned so
the periods are encoded twice.
2018-10-18 16:59:52 +01:00

118 lines
4.6 KiB
Python
Raw Blame History

import json
from datetime import datetime
from flask import url_for
from itsdangerous import SignatureExpired
from notifications_utils.url_safe_token import generate_token
from tests.conftest import url_for_endpoint_with_token
def test_should_render_new_password_template(
app_,
client,
api_user_active,
mock_login,
mock_send_verify_code,
mock_get_user_by_email_request_password_reset,
):
data = json.dumps({'email': api_user_active.email_address, 'created_at': str(datetime.utcnow())})
token = generate_token(data, app_.config['SECRET_KEY'],
app_.config['DANGEROUS_SALT'])
response = client.get(url_for_endpoint_with_token('.new_password', token=token))
assert response.status_code == 200
assert 'You can now create a new password for your account.' in response.get_data(as_text=True)
def test_should_return_404_when_email_address_does_not_exist(
app_,
client,
mock_get_user_by_email_not_found,
):
data = json.dumps({'email': 'no_user@d.gov.uk', 'created_at': str(datetime.utcnow())})
token = generate_token(data, app_.config['SECRET_KEY'], app_.config['DANGEROUS_SALT'])
response = client.get(url_for_endpoint_with_token('.new_password', token=token))
assert response.status_code == 404
def test_should_redirect_to_two_factor_when_password_reset_is_successful(
app_,
client,
mock_get_user_by_email_request_password_reset,
mock_login,
mock_send_verify_code,
mock_reset_failed_login_count
):
user = mock_get_user_by_email_request_password_reset.return_value
data = json.dumps({'email': user.email_address, 'created_at': str(datetime.utcnow())})
token = generate_token(data, app_.config['SECRET_KEY'], app_.config['DANGEROUS_SALT'])
response = client.post(url_for_endpoint_with_token('.new_password', token=token),
data={'new_password': 'a-new_password'})
assert response.status_code == 302
assert response.location == url_for('.two_factor', _external=True)
mock_get_user_by_email_request_password_reset.assert_called_once_with(user.email_address)
def test_should_redirect_index_if_user_has_already_changed_password(
app_,
client,
mock_get_user_by_email_user_changed_password,
mock_login,
mock_send_verify_code,
mock_reset_failed_login_count
):
user = mock_get_user_by_email_user_changed_password.return_value
data = json.dumps({'email': user.email_address, 'created_at': str(datetime.utcnow())})
token = generate_token(data, app_.config['SECRET_KEY'], app_.config['DANGEROUS_SALT'])
response = client.post(url_for_endpoint_with_token('.new_password', token=token),
data={'new_password': 'a-new_password'})
assert response.status_code == 302
assert response.location == url_for('.index', _external=True)
mock_get_user_by_email_user_changed_password.assert_called_once_with(user.email_address)
def test_should_redirect_to_forgot_password_with_flash_message_when_token_is_expired(
app_,
client,
mock_login,
mocker
):
mocker.patch('app.main.views.new_password.check_token', side_effect=SignatureExpired('expired'))
token = generate_token('foo@bar.com', app_.config['SECRET_KEY'], app_.config['DANGEROUS_SALT'])
response = client.get(url_for_endpoint_with_token('.new_password', token=token))
assert response.status_code == 302
assert response.location == url_for('.forgot_password', _external=True)
def test_should_sign_in_when_password_reset_is_successful_for_email_auth(
app_,
client,
mock_get_user,
mock_get_user_by_email_request_password_reset,
mock_login,
mock_send_verify_code,
mock_reset_failed_login_count,
mock_update_user_password
):
user = mock_get_user_by_email_request_password_reset.return_value
user.auth_type = 'email_auth'
data = json.dumps({'email': user.email_address, 'created_at': str(datetime.utcnow())})
token = generate_token(data, app_.config['SECRET_KEY'], app_.config['DANGEROUS_SALT'])
response = client.post(url_for_endpoint_with_token('.new_password', token=token),
data={'new_password': 'a-new_password'})
assert response.status_code == 302
assert response.location == url_for('.show_accounts_or_dashboard', _external=True)
assert mock_get_user_by_email_request_password_reset.called
assert mock_reset_failed_login_count.called
# the log-in flow makes a couple of calls
mock_get_user.assert_called_once_with(user.id)
mock_update_user_password.assert_called_once_with(user.id, password='a-new_password')
assert not mock_send_verify_code.called
Reference in New Issue View Git Blame Copy Permalink