You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

163 lines
5.9 KiB

from django.conf import settings
from django.core import mail
from django.test.utils import override_settings
from hc.accounts.models import Credential
from hc.api.models import Check, TokenBucket
from hc.test import BaseTestCase
class LoginTestCase(BaseTestCase):
def setUp(self):
super().setUp()
self.checks_url = f"/projects/{self.project.code}/checks/"
def test_it_shows_form(self):
r = self.client.get("/accounts/login/")
self.assertContains(r, "Email Me a Link")
def test_it_redirects_authenticated_get(self):
self.client.login(username="[email protected]", password="password")
r = self.client.get("/accounts/login/")
self.assertRedirects(r, self.checks_url)
def test_it_sends_link(self):
form = {"identity": "[email protected]"}
r = self.client.post("/accounts/login/", form)
self.assertRedirects(r, "/accounts/login_link_sent/")
# And email should have been sent
self.assertEqual(len(mail.outbox), 1)
subject = "Log in to %s" % settings.SITE_NAME
self.assertEqual(mail.outbox[0].subject, subject)
def test_it_sends_link_with_next(self):
form = {"identity": "[email protected]"}
r = self.client.post("/accounts/login/?next=" + self.channels_url, form)
self.assertRedirects(r, "/accounts/login_link_sent/")
self.assertIn("auto-login", r.cookies)
# The check_token link should have a ?next= query parameter:
self.assertEqual(len(mail.outbox), 1)
body = mail.outbox[0].body
self.assertTrue("/?next=" + self.channels_url in body)
@override_settings(SECRET_KEY="test-secret")
def test_it_rate_limits_emails(self):
# "d60d..." is sha1("[email protected]")
obj = TokenBucket(value="em-d60db3b2343e713a4de3e92d4eb417e4f05f06ab")
obj.tokens = 0
obj.save()
form = {"identity": "[email protected]"}
r = self.client.post("/accounts/login/", form)
self.assertContains(r, "Too many attempts")
# No email should have been sent
self.assertEqual(len(mail.outbox), 0)
def test_it_pops_bad_link_from_session(self):
self.client.session["bad_link"] = True
self.client.get("/accounts/login/")
assert "bad_link" not in self.client.session
def test_it_ignores_case(self):
form = {"identity": "[email protected]"}
r = self.client.post("/accounts/login/", form)
self.assertRedirects(r, "/accounts/login_link_sent/")
self.profile.refresh_from_db()
self.assertIn("login", self.profile.token)
def test_it_handles_password(self):
form = {"action": "login", "email": "[email protected]", "password": "password"}
r = self.client.post("/accounts/login/", form)
self.assertRedirects(r, self.checks_url)
@override_settings(SECRET_KEY="test-secret")
def test_it_rate_limits_password_attempts(self):
# "d60d..." is sha1("[email protected]")
obj = TokenBucket(value="pw-d60db3b2343e713a4de3e92d4eb417e4f05f06ab")
obj.tokens = 0
obj.save()
form = {"action": "login", "email": "[email protected]", "password": "password"}
r = self.client.post("/accounts/login/", form)
self.assertContains(r, "Too many attempts")
def test_it_handles_password_login_with_redirect(self):
check = Check.objects.create(project=self.project)
form = {"action": "login", "email": "[email protected]", "password": "password"}
samples = [self.channels_url, "/checks/%s/details/" % check.code]
for s in samples:
r = self.client.post("/accounts/login/?next=%s" % s, form)
self.assertRedirects(r, s)
def test_it_handles_bad_next_parameter(self):
form = {"action": "login", "email": "[email protected]", "password": "password"}
samples = [
"/evil/",
f"https://example.org/projects/{self.project.code}/checks/",
]
for sample in samples:
r = self.client.post("/accounts/login/?next=" + sample, form)
self.assertRedirects(r, self.checks_url)
def test_it_handles_wrong_password(self):
form = {
"action": "login",
"email": "[email protected]",
"password": "wrong password",
}
r = self.client.post("/accounts/login/", form)
self.assertContains(r, "Incorrect email or password")
@override_settings(REGISTRATION_OPEN=False)
def test_it_obeys_registration_open(self):
r = self.client.get("/accounts/login/")
self.assertNotContains(r, "Create Your Account")
def test_it_redirects_to_webauthn_form(self):
Credential.objects.create(user=self.alice, name="Alices Key")
form = {"action": "login", "email": "[email protected]", "password": "password"}
r = self.client.post("/accounts/login/", form)
self.assertRedirects(
r, "/accounts/login/two_factor/", fetch_redirect_response=False
)
# It should not log the user in yet
self.assertNotIn("_auth_user_id", self.client.session)
# Instead, it should set 2fa_user_id in the session
user_id, email, valid_until = self.client.session["2fa_user"]
self.assertEqual(user_id, self.alice.id)
def test_it_redirects_to_totp_form(self):
self.profile.totp = "0" * 32
self.profile.save()
form = {"action": "login", "email": "[email protected]", "password": "password"}
r = self.client.post("/accounts/login/", form)
self.assertRedirects(
r, "/accounts/login/two_factor/totp/", fetch_redirect_response=False
)
# It should not log the user in yet
self.assertNotIn("_auth_user_id", self.client.session)
# Instead, it should set 2fa_user_id in the session
user_id, email, valid_until = self.client.session["2fa_user"]
self.assertEqual(user_id, self.alice.id)