Merge pull request #28 from alphagov/verify_user_password

Added user verify password endpoint.
2026-02-03 18:01:08 -05:00 · 2016-01-20 17:07:23 +00:00
parent 1fd3c9139f 0ec69b89ee
commit eeffd4c6e2
2 changed files with 95 additions and 4 deletions
--- a/app/user/rest.py
+++ b/app/user/rest.py
@@ -13,11 +13,11 @@ from flask import Blueprint
 user = Blueprint('user', __name__)


-# TODO auth to be added
@user.route('', methods=['POST'])
 def create_user():
    user, errors = user_schema.load(request.get_json())
    req_json = request.get_json()
+    # TODO password policy, what is valid password
    if not req_json.get('password'):
        errors = {'password': ['Missing data for required field.']}
        return jsonify(result="error", message=errors), 400
@@ -29,7 +29,6 @@ def create_user():
    return jsonify(data=user_schema.dump(user).data), 201


-# TODO auth to be added
@user.route('/<int:user_id>', methods=['PUT', 'DELETE'])
 def update_user(user_id):
    try:
@@ -50,7 +49,27 @@ def update_user(user_id):
    return jsonify(data=user_schema.dump(user).data), status_code


-# TODO auth to be added.
+@user.route('/<int:user_id>/verify/password', methods=['POST'])
+def verify_user_password(user_id):
+    try:
+        user = get_model_users(user_id=user_id)
+    except DataError:
+        return jsonify(result="error", message="Invalid user id"), 400
+    except NoResultFound:
+        return jsonify(result="error", message="User not found"), 404
+    text_pwd = None
+    try:
+        text_pwd = request.get_json()['password']
+    except KeyError:
+        return jsonify(
+            result="error",
+            message={'password': ['Required field missing data']}), 400
+    if user.check_password(text_pwd):
+        return jsonify(), 204
+    else:
+        return jsonify(result='error', message={'password': ['Incorrect password']}), 400
+
+
@user.route('/<int:user_id>', methods=['GET'])
@user.route('/', methods=['GET'])
 def get_user(user_id=None):
@@ -64,7 +83,6 @@ def get_user(user_id=None):
    return jsonify(data=result.data)


-# TODO auth to be added
@user.route('/<int:user_id>/service', methods=['GET'])
@user.route('/<int:user_id>/service/<int:service_id>', methods=['GET'])
 def get_service_by_user_id(user_id, service_id=None):
--- a/tests/app/user/test_rest.py
+++ b/tests/app/user/test_rest.py
@@ -358,3 +358,76 @@ def test_delete_user_not_exists(notify_api, notify_db, notify_db_session, sample
                headers=[('Content-Type', 'application/json'), auth_header])
            assert resp.status_code == 404
            assert User.query.count() == 2
+
+
+def test_user_verify_password(notify_api,
+                              notify_db,
+                              notify_db_session,
+                              sample_user,
+                              sample_admin_service_id):
+    """
+    Tests POST endpoint '/<user_id>/verify/password'
+    """
+    with notify_api.test_request_context():
+        with notify_api.test_client() as client:
+            data = json.dumps({'password': 'password'})
+            auth_header = create_authorization_header(
+                service_id=sample_admin_service_id,
+                path=url_for('user.verify_user_password', user_id=sample_user.id),
+                method='POST',
+                request_body=data)
+            resp = client.post(
+                url_for('user.verify_user_password', user_id=sample_user.id),
+                data=data,
+                headers=[('Content-Type', 'application/json'), auth_header])
+            assert resp.status_code == 204
+
+
+def test_user_verify_password_invalid_password(notify_api,
+                                               notify_db,
+                                               notify_db_session,
+                                               sample_user,
+                                               sample_admin_service_id):
+    """
+    Tests POST endpoint '/<user_id>/verify/password' invalid endpoint.
+    """
+    with notify_api.test_request_context():
+        with notify_api.test_client() as client:
+            data = json.dumps({'password': 'bad password'})
+            auth_header = create_authorization_header(
+                service_id=sample_admin_service_id,
+                path=url_for('user.verify_user_password', user_id=sample_user.id),
+                method='POST',
+                request_body=data)
+            resp = client.post(
+                url_for('user.verify_user_password', user_id=sample_user.id),
+                data=data,
+                headers=[('Content-Type', 'application/json'), auth_header])
+            assert resp.status_code == 400
+            json_resp = json.loads(resp.get_data(as_text=True))
+            assert 'Incorrect password' in json_resp['message']['password']
+
+
+def test_user_verify_password_missing_password(notify_api,
+                                               notify_db,
+                                               notify_db_session,
+                                               sample_user,
+                                               sample_admin_service_id):
+    """
+    Tests POST endpoint '/<user_id>/verify/password' missing password.
+    """
+    with notify_api.test_request_context():
+        with notify_api.test_client() as client:
+            data = json.dumps({'bingo': 'bongo'})
+            auth_header = create_authorization_header(
+                service_id=sample_admin_service_id,
+                path=url_for('user.verify_user_password', user_id=sample_user.id),
+                method='POST',
+                request_body=data)
+            resp = client.post(
+                url_for('user.verify_user_password', user_id=sample_user.id),
+                data=data,
+                headers=[('Content-Type', 'application/json'), auth_header])
+            assert resp.status_code == 400
+            json_resp = json.loads(resp.get_data(as_text=True))
+            assert 'Required field missing data' in json_resp['message']['password']