Changes as per code review comments.

Fix my backward date math :P

app/dao/users_dao.py

@@ -1,8 +1,6 @@
 import random
 from datetime import (datetime, timedelta)
-
 from sqlalchemy import func
-
 from app import db
 from app.models import (User, VerifyCode)
 
@@ -48,7 +46,7 @@ def get_user_code(user, code, code_type):
     # time searching for the correct code.
     codes = VerifyCode.query.filter_by(
         user=user, code_type=code_type).order_by(
-            VerifyCode.created_at.desc())
+        VerifyCode.created_at.desc())
     retval = None
     for x in codes:
         if x.check_code(code):
@@ -86,7 +84,8 @@ def count_user_verify_codes(user):
     query = db.session.query(
         func.count().label('count')
     ).filter(VerifyCode.user == user,
-             VerifyCode.expiry_datetime <= datetime.utcnow()).one()
+             VerifyCode.expiry_datetime > datetime.utcnow(),
+             VerifyCode.code_used.is_(False)).one()
     return query.count
 
 

app/user/rest.py

@@ -140,6 +140,7 @@ def send_user_sms_code(user_id):
 
     if count_user_verify_codes(user_to_send_to) >= current_app.config.get('MAX_VERIFY_CODE_COUNT'):
         # Prevent more than `MAX_VERIFY_CODE_COUNT` active verify codes at a time
+        current_app.logger.warn('Max verify code has exceeded for user {}'.format(user_to_send_to.id))
         return jsonify({}), 204
 
     secret_code = create_secret_code()

tests/app/dao/test_users_dao.py

@@ -1,5 +1,6 @@
 from datetime import datetime, timedelta
 
+from freezegun import freeze_time
 from sqlalchemy.exc import DataError
 from sqlalchemy.orm.exc import NoResultFound
 import pytest
@@ -109,13 +110,14 @@ def test_should_not_delete_verification_codes_less_than_one_day_old(sample_user)
     assert VerifyCode.query.one()._code == "12345"
 
 
-def make_verify_code(user, age=timedelta(hours=0), code="12335"):
+def make_verify_code(user, age=timedelta(hours=0), expiry_age=timedelta(0), code="12335", code_used=False):
     verify_code = VerifyCode(
         code_type='sms',
         _code=code,
         created_at=datetime.utcnow() - age,
-        expiry_datetime=datetime.utcnow(),
+        expiry_datetime=datetime.utcnow() - expiry_age,
-        user=user
+        user=user,
+        code_used=code_used
     )
     db.session.add(verify_code)
     db.session.commit()
@@ -143,5 +145,9 @@ def test_update_user_password(notify_api, notify_db, notify_db_session, sample_u
 
 
 def test_count_user_verify_codes(sample_user):
-    [make_verify_code(sample_user) for i in range(5)]
+    with freeze_time(datetime.utcnow() + timedelta(hours=1)):
+        make_verify_code(sample_user, code_used=True)
+        make_verify_code(sample_user, expiry_age=timedelta(hours=2))
+        [make_verify_code(sample_user) for i in range(5)]
+
     assert count_user_verify_codes(sample_user) == 5

tests/app/user/test_rest_verify.py

@@ -1,4 +1,6 @@
 import json
+import uuid
+
 import pytest
 
 from datetime import (
@@ -149,11 +151,10 @@ def test_user_verify_password_valid_password_resets_failed_logins(client,
 
 def test_user_verify_password_missing_password(client,
                                                sample_user):
-    data = json.dumps({'bingo': 'bongo'})
     auth_header = create_authorization_header()
     resp = client.post(
         url_for('user.verify_user_password', user_id=sample_user.id),
-        data=data,
+        data=json.dumps({'bingo': 'bongo'}),
         headers=[('Content-Type', 'application/json'), auth_header])
     assert resp.status_code == 400
     json_resp = json.loads(resp.get_data(as_text=True))
@@ -178,14 +179,13 @@ def test_send_user_sms_code(notify_api,
                 notify_service.research_mode = True
                 dao_update_service(notify_service)
 
-            data = json.dumps({})
             auth_header = create_authorization_header()
             mocked = mocker.patch('app.user.rest.create_secret_code', return_value='11111')
             mocker.patch('app.celery.provider_tasks.deliver_sms.apply_async')
 
             resp = client.post(
                 url_for('user.send_user_sms_code', user_id=sample_user.id),
-                data=data,
+                data=json.dumps({}),
                 headers=[('Content-Type', 'application/json'), auth_header])
             assert resp.status_code == 204
 
@@ -218,12 +218,11 @@ def test_send_user_code_for_sms_with_optional_to_field(notify_api,
             to_number = '+441119876757'
             mocked = mocker.patch('app.user.rest.create_secret_code', return_value='11111')
             mocker.patch('app.celery.provider_tasks.deliver_sms.apply_async')
-            data = json.dumps({'to': to_number})
             auth_header = create_authorization_header()
 
             resp = client.post(
                 url_for('user.send_user_sms_code', user_id=sample_user.id),
-                data=data,
+                data=json.dumps({'to': to_number}),
                 headers=[('Content-Type', 'application/json'), auth_header])
 
             assert resp.status_code == 204
@@ -237,13 +236,11 @@ def test_send_user_code_for_sms_with_optional_to_field(notify_api,
 
 
 def test_send_sms_code_returns_404_for_bad_input_data(client):
-    data = json.dumps({})
-    import uuid
     uuid_ = uuid.uuid4()
     auth_header = create_authorization_header()
     resp = client.post(
         url_for('user.send_user_sms_code', user_id=uuid_),
-        data=data,
+        data=json.dumps({}),
         headers=[('Content-Type', 'application/json'), auth_header])
     assert resp.status_code == 404
     assert json.loads(resp.get_data(as_text=True))['message'] == 'No result found'
@@ -255,17 +252,16 @@ def test_send_sms_code_returns_204_when_too_many_codes_already_created(client, s
             code_type='sms',
             _code=12345,
             created_at=datetime.utcnow() - timedelta(minutes=10),
-            expiry_datetime=datetime.utcnow(),
+            expiry_datetime=datetime.utcnow() + timedelta(minutes=40),
             user=sample_user
         )
         db.session.add(verify_code)
         db.session.commit()
     assert VerifyCode.query.count() == 10
-    data = json.dumps({})
     auth_header = create_authorization_header()
     resp = client.post(
         url_for('user.send_user_sms_code', user_id=sample_user.id),
-        data=data,
+        data=json.dumps({}),
         headers=[('Content-Type', 'application/json'), auth_header])
     assert resp.status_code == 204
     assert VerifyCode.query.count() == 10
@@ -275,12 +271,11 @@ def test_send_user_email_verification(client,
                                       sample_user,
                                       mocker,
                                       email_verification_template):
-    data = json.dumps({})
     mocked = mocker.patch('app.celery.provider_tasks.deliver_email.apply_async')
     auth_header = create_authorization_header()
     resp = client.post(
         url_for('user.send_user_email_verification', user_id=str(sample_user.id)),
-        data=data,
+        data=json.dumps({}),
         headers=[('Content-Type', 'application/json'), auth_header])
     assert resp.status_code == 204
     notification = Notification.query.first()
@@ -292,13 +287,12 @@ def test_send_email_verification_returns_404_for_bad_input_data(client, notify_d
     Tests POST endpoint /user/<user_id>/sms-code return 404 for bad input data
     """
     mocked = mocker.patch('app.celery.provider_tasks.deliver_email.apply_async')
-    data = json.dumps({})
     import uuid
     uuid_ = uuid.uuid4()
     auth_header = create_authorization_header()
     resp = client.post(
         url_for('user.send_user_email_verification', user_id=uuid_),
-        data=data,
+        data=json.dumps({}),
         headers=[('Content-Type', 'application/json'), auth_header])
     assert resp.status_code == 404
     assert json.loads(resp.get_data(as_text=True))['message'] == 'No result found'