heckyel/mediagoblin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

moving forgot_password views back to gmg/auth and cleanup

Browse Source
This commit is contained in:
Rodney Ewing 2013-05-24 18:09:57 -07:00
parent 9008e09941
commit f339b76a4e
15 changed files with 144 additions and 477 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
mediagoblin/auth/routing.py
View File

@ -25,4 +25,9 @@ auth_routes = [
('mediagoblin.auth.verify_email', '/verify_email/', ('mediagoblin.auth.verify_email', '/verify_email/',
'mediagoblin.auth.views:verify_email'), 'mediagoblin.auth.views:verify_email'),
('mediagoblin.auth.resend_verification', '/resend_verification/', ('mediagoblin.auth.resend_verification', '/resend_verification/',
'mediagoblin.auth.views:resend_activation')] 'mediagoblin.auth.views:resend_activation'),
('mediagoblin.auth.forgot_password', '/forgot_password/',
'mediagoblin.auth.views:forgot_password'),
('mediagoblin.auth.verify_forgot_password',
'/forgot_password/verify/',
'mediagoblin.auth.views:verify_forgot_password')]

31
mediagoblin/auth/tools.py
View File

@ -22,7 +22,6 @@ from mediagoblin.tools.mail import normalize_email, send_email
from mediagoblin.tools.translate import lazy_pass_to_ugettext as _ from mediagoblin.tools.translate import lazy_pass_to_ugettext as _
from mediagoblin.tools.template import render_template from mediagoblin.tools.template import render_template
from mediagoblin.tools.pluginapi import hook_handle from mediagoblin.tools.pluginapi import hook_handle
from mediagoblin.tools.response import redirect
from mediagoblin import auth from mediagoblin import auth
from mediagoblin.db.models import User from mediagoblin.db.models import User
@ -174,3 +173,33 @@ def send_verification_email(user, request):
# example "GNU MediaGoblin @ Wandborg - [...]". # example "GNU MediaGoblin @ Wandborg - [...]".
'GNU MediaGoblin - Verify your email!', 'GNU MediaGoblin - Verify your email!',
rendered_email) rendered_email)
EMAIL_FP_VERIFICATION_TEMPLATE = (
u"http://{host}{uri}?"
u"userid={userid}&token={fp_verification_key}")
def send_fp_verification_email(user, request):
"""
Send the verification email to users to change their password.
Args:
- user: a user object
- request: the request
"""
rendered_email = render_template(
request, 'mediagoblin/auth/fp_verification_email.txt',
{'username': user.username,
'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format(
host=request.host,
uri=request.urlgen('mediagoblin.auth.verify_forgot_password'),
userid=unicode(user.id),
fp_verification_key=user.fp_verification_key)})
# TODO: There is no error handling in place
send_email(
mg_globals.app_config['email_sender_address'],
[user.email],
'GNU MediaGoblin - Change forgotten password!',
rendered_email)

15
mediagoblin/auth/views.py
View File

@ -15,6 +15,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
import uuid import uuid
import datetime
from mediagoblin import messages, mg_globals from mediagoblin import messages, mg_globals
from mediagoblin.db.models import User from mediagoblin.db.models import User
@ -23,7 +24,8 @@ from mediagoblin.tools.translate import pass_to_ugettext as _
from mediagoblin.auth import lib as auth_lib from mediagoblin.auth import lib as auth_lib
from mediagoblin.auth import forms as auth_forms from mediagoblin.auth import forms as auth_forms
from mediagoblin.auth.tools import (send_verification_email, from mediagoblin.auth.tools import (send_verification_email,
register_user, email_debug_message) register_user, email_debug_message,
send_fp_verification_email)
from mediagoblin import auth from mediagoblin import auth
@ -208,13 +210,17 @@ def forgot_password(request):
Sends an email with an url to renew forgotten password. Sends an email with an url to renew forgotten password.
Use GET querystring parameter 'username' to pre-populate the input field Use GET querystring parameter 'username' to pre-populate the input field
""" """
if not 'pass_auth' in request.template_env.globals:
return redirect(request, 'index')
fp_form = auth_forms.ForgotPassForm(request.form, fp_form = auth_forms.ForgotPassForm(request.form,
username=request.args.get('username')) username=request.args.get('username'))
if not (request.method == 'POST' and fp_form.validate()): if not (request.method == 'POST' and fp_form.validate()):
# Either GET request, or invalid form submitted. Display the template # Either GET request, or invalid form submitted. Display the template
return render_to_response(request, return render_to_response(request,
'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form}) 'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form,
'focus': 'username'})
# If we are here: method == POST and form is valid. username casing # If we are here: method == POST and form is valid. username casing
# has been sanitized. Store if a user was found by email. We should # has been sanitized. Store if a user was found by email. We should
@ -310,7 +316,8 @@ def verify_forgot_password(request):
return render_to_response( return render_to_response(
request, request,
'mediagoblin/auth/change_fp.html', 'mediagoblin/auth/change_fp.html',
{'cp_form': cp_form}) {'cp_form': cp_form,
'focus': 'password'})
# in case there is a valid id but no user with that id in the db # in case there is a valid id but no user with that id in the db
# or the token expired # or the token expired
@ -334,6 +341,6 @@ def _process_for_token(request):
formdata = { formdata = {
'vars': formdata_vars, 'vars': formdata_vars,
'has_userid_and_token': 'has_userid_and_token':
'userid' in formdata_vars and 'token' in formdata_vars} 'userid' in formdata_vars and 'token' in formdata_vars}
return formdata return formdata

5
mediagoblin/plugins/basic_auth/__init__.py
View File

@ -13,11 +13,10 @@
# #
# You should have received a copy of the GNU Affero General Public License # You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import uuid import uuid
import forms as auth_forms from mediagoblin.plugins.basic_auth import forms as auth_forms
import lib as auth_lib from mediagoblin.plugins.basic_auth import lib as auth_lib
from mediagoblin.db.models import User from mediagoblin.db.models import User
from mediagoblin.tools import pluginapi from mediagoblin.tools import pluginapi
from sqlalchemy import or_ from sqlalchemy import or_

22
mediagoblin/plugins/basic_auth/forms.py
View File

@ -26,7 +26,7 @@ class RegistrationForm(wtforms.Form):
normalize_user_or_email_field(allow_email=False)]) normalize_user_or_email_field(allow_email=False)])
password = wtforms.PasswordField( password = wtforms.PasswordField(
_('Password'), _('Password'),
[wtforms.validators.Optional(), [wtforms.validators.Required(),
wtforms.validators.Length(min=5, max=1024)]) wtforms.validators.Length(min=5, max=1024)])
email = wtforms.TextField( email = wtforms.TextField(
_('Email address'), _('Email address'),
@ -43,23 +43,3 @@ class LoginForm(wtforms.Form):
_('Password'), _('Password'),
[wtforms.validators.Required(), [wtforms.validators.Required(),
wtforms.validators.Length(min=5, max=1024)]) wtforms.validators.Length(min=5, max=1024)])
class ForgotPassForm(wtforms.Form):
username = wtforms.TextField(
_('Username or email'),
[wtforms.validators.Required(),
normalize_user_or_email_field()])
class ChangePassForm(wtforms.Form):
password = wtforms.PasswordField(
'Password',
[wtforms.validators.Required(),
wtforms.validators.Length(min=5, max=1024)])
userid = wtforms.HiddenField(
'',
[wtforms.validators.Required()])
token = wtforms.HiddenField(
'',
[wtforms.validators.Required()])

35
mediagoblin/plugins/basic_auth/lib.py
View File

@ -16,10 +16,6 @@
import bcrypt import bcrypt
import random import random
from mediagoblin.tools.template import render_template
from mediagoblin.tools.mail import send_email
from mediagoblin import mg_globals
def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None): def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None):
""" """
@ -69,37 +65,6 @@ def bcrypt_gen_password_hash(raw_pass, extra_salt=None):
bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt())) bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt()))
EMAIL_FP_VERIFICATION_TEMPLATE = (
u"http://{host}{uri}?"
u"userid={userid}&token={fp_verification_key}")
def send_fp_verification_email(user, request):
"""
Send the verification email to users to change their password.
Args:
- user: a user object
- request: the request
"""
rendered_email = render_template(
request, 'mediagoblin/auth/fp_verification_email.txt',
{'username': user.username,
'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format(
host=request.host,
uri=request.urlgen('mediagoblin.plugins.' +
'basic_auth.verify_forgot_password'),
userid=unicode(user.id),
fp_verification_key=user.fp_verification_key)})
# TODO: There is no error handling in place
send_email(
mg_globals.app_config['email_sender_address'],
[user.email],
'GNU MediaGoblin - Change forgotten password!',
rendered_email)
def fake_login_attempt(): def fake_login_attempt():
""" """
Pretend we're trying to login. Pretend we're trying to login.

44
mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/change_fp.html
View File

@ -1,44 +0,0 @@
{#
# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011 Free Software Foundation, Inc
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#}
{% extends "mediagoblin/base.html" %}
{% import "/mediagoblin/utils/wtforms.html" as wtforms_util %}
{% block mediagoblin_head %}
<script type="text/javascript"
src="{{ request.staticdirect('/js/show_password.js') }}"></script>
{% endblock mediagoblin_head %}
{% block title -%}
{% trans %}Set your new password{% endtrans %} &mdash; {{ super() }}
{%- endblock %}
{% block mediagoblin_content %}
<form action="{{ request.urlgen('mediagoblin.plugins.basic_auth.verify_forgot_password') }}"
method="POST" enctype="multipart/form-data">
{{ csrf_token }}
<div class="form_box">
<h1>{% trans %}Set your new password{% endtrans %}</h1>
{{ wtforms_util.render_divs(cp_form) }}
<div class="form_submit_buttons">
<input type="submit" value="{% trans %}Set password{% endtrans %}" class="button_form"/>
</div>
</div>
</form>
{% endblock %}

38
mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/forgot_password.html
View File

@ -1,38 +0,0 @@
{#
# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011 Free Software Foundation, Inc
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#}
{% extends "mediagoblin/base.html" %}
{% import "/mediagoblin/utils/wtforms.html" as wtforms_util %}
{% block title -%}
{% trans %}Recover password{% endtrans %} &mdash; {{ super() }}
{%- endblock %}
{% block mediagoblin_content %}
<form action="{{ request.urlgen('mediagoblin.plugins.basic_auth.forgot_password') }}"
method="POST" enctype="multipart/form-data">
{{ csrf_token }}
<div class="form_box">
<h1>{% trans %}Recover password{% endtrans %}</h1>
{{ wtforms_util.render_divs(fp_form) }}
<div class="form_submit_buttons">
<input type="submit" value="{% trans %}Send instructions{% endtrans %}" class="button_form"/>
</div>
</div>
</form>
{% endblock %}

165
mediagoblin/plugins/basic_auth/views.py
View File

@ -1,165 +0,0 @@
# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import uuid
import datetime
import forms as auth_forms
from mediagoblin.tools.response import render_to_response, redirect, render_404
from mediagoblin.db.models import User
from mediagoblin.tools.translate import pass_to_ugettext as _
from mediagoblin import messages
from mediagoblin.auth.views import email_debug_message
from mediagoblin.auth.lib import send_fp_verification_email
from mediagoblin.auth import lib as auth_lib
def forgot_password(request):
"""
Forgot password view
Sends an email with an url to renew forgotten password.
Use GET querystring parameter 'username' to pre-populate the input field
"""
fp_form = auth_forms.ForgotPassForm(request.form,
username=request.args.get('username'))
if not (request.method == 'POST' and fp_form.validate()):
# Either GET request, or invalid form submitted. Display the template
return render_to_response(request,
'mediagoblin/plugins/basic_auth/forgot_password.html', {'fp_form': fp_form})
# If we are here: method == POST and form is valid. username casing
# has been sanitized. Store if a user was found by email. We should
# not reveal if the operation was successful then as we don't want to
# leak if an email address exists in the system.
found_by_email = '@' in fp_form.username.data
if found_by_email:
user = User.query.filter_by(
email=fp_form.username.data).first()
# Don't reveal success in case the lookup happened by email address.
success_message = _("If that email address (case sensitive!) is "
"registered an email has been sent with "
"instructions on how to change your password.")
else: # found by username
user = User.query.filter_by(
username=fp_form.username.data).first()
if user is None:
messages.add_message(request,
messages.WARNING,
_("Couldn't find someone with that username."))
return redirect(request, 'mediagoblin.auth.forgot_password')
success_message = _("An email has been sent with instructions "
"on how to change your password.")
if user and not(user.email_verified and user.status == 'active'):
# Don't send reminder because user is inactive or has no verified email
messages.add_message(request,
messages.WARNING,
_("Could not send password recovery email as your username is in"
"active or your account's email address has not been verified."))
return redirect(request, 'mediagoblin.user_pages.user_home',
user=user.username)
# SUCCESS. Send reminder and return to login page
if user:
user.fp_verification_key = unicode(uuid.uuid4())
user.fp_token_expire = datetime.datetime.now() + \
datetime.timedelta(days=10)
user.save()
email_debug_message(request)
send_fp_verification_email(user, request)
messages.add_message(request, messages.INFO, success_message)
return redirect(request, 'mediagoblin.auth.login')
def verify_forgot_password(request):
"""
Check the forgot-password verification and possibly let the user
change their password because of it.
"""
# get form data variables, and specifically check for presence of token
formdata = _process_for_token(request)
if not formdata['has_userid_and_token']:
return render_404(request)
formdata_token = formdata['vars']['token']
formdata_userid = formdata['vars']['userid']
formdata_vars = formdata['vars']
# check if it's a valid user id
user = User.query.filter_by(id=formdata_userid).first()
if not user:
return render_404(request)
# check if we have a real user and correct token
if ((user and user.fp_verification_key and
user.fp_verification_key == unicode(formdata_token) and
datetime.datetime.now() < user.fp_token_expire
and user.email_verified and user.status == 'active')):
cp_form = auth_forms.ChangePassForm(formdata_vars)
if request.method == 'POST' and cp_form.validate():
user.pw_hash = auth_lib.bcrypt_gen_password_hash(
cp_form.password.data)
user.fp_verification_key = None
user.fp_token_expire = None
user.save()
messages.add_message(
request,
messages.INFO,
_("You can now log in using your new password."))
return redirect(request, 'mediagoblin.auth.login')
else:
return render_to_response(
request,
'mediagoblin/plugins/basic_auth/change_fp.html',
{'cp_form': cp_form})
# in case there is a valid id but no user with that id in the db
# or the token expired
else:
return render_404(request)
def _process_for_token(request):
"""
Checks for tokens in formdata without prior knowledge of request method
For now, returns whether the userid and token formdata variables exist, and
the formdata variables in a hash. Perhaps an object is warranted?
"""
# retrieve the formdata variables
if request.method == 'GET':
formdata_vars = request.GET
else:
formdata_vars = request.form
formdata = {
'vars': formdata_vars,
'has_userid_and_token':
'userid' in formdata_vars and 'token' in formdata_vars}
return formdata

2
mediagoblin/templates/mediagoblin/auth/forgot_password.html
View File

@ -24,7 +24,7 @@
{%- endblock %} {%- endblock %}
{% block mediagoblin_content %} {% block mediagoblin_content %}
<form action="{{ request.urlgen('mediagoblin.plugins.basic_auth.forgot_password') }}" <form action="{{ request.urlgen('mediagoblin.auth.forgot_password') }}"
method="POST" enctype="multipart/form-data"> method="POST" enctype="multipart/form-data">
{{ csrf_token }} {{ csrf_token }}
<div class="form_box"> <div class="form_box">

2
mediagoblin/templates/mediagoblin/auth/login.html
View File

@ -46,10 +46,12 @@
</p> </p>
{% endif %} {% endif %}
{{ wtforms_util.render_divs(login_form) }} {{ wtforms_util.render_divs(login_form) }}
{% if pass_auth %}
<p> <p>
<a href="{{ request.urlgen('mediagoblin.auth.forgot_password') }}" id="forgot_password"> <a href="{{ request.urlgen('mediagoblin.auth.forgot_password') }}" id="forgot_password">
{% trans %}Forgot your password?{% endtrans %}</a> {% trans %}Forgot your password?{% endtrans %}</a>
</p> </p>
{% endif %}
<div class="form_submit_buttons"> <div class="form_submit_buttons">
<input type="submit" value="{% trans %}Log in{% endtrans %}" class="button_form"/> <input type="submit" value="{% trans %}Log in{% endtrans %}" class="button_form"/>
</div> </div>

28
mediagoblin/tests/auth_configs/basic_auth_appconfig.ini
View File

@ -1,28 +0,0 @@
[mediagoblin]
direct_remote_path = /test_static/
email_sender_address = "notice@mediagoblin.example.org"
email_debug_mode = true
no_auth = false
# TODO: Switch to using an in-memory database
sql_engine = "sqlite:///%(here)s/user_dev/mediagoblin.db"
# Celery shouldn't be set up by the application as it's setup via
# mediagoblin.init.celery.from_celery
celery_setup_elsewhere = true
[storage:publicstore]
base_dir = %(here)s/user_dev/media/public
base_url = /mgoblin_media/
[storage:queuestore]
base_dir = %(here)s/user_dev/media/queue
[celery]
CELERY_ALWAYS_EAGER = true
CELERY_RESULT_DBURI = "sqlite:///%(here)s/user_dev/celery.db"
BROKER_HOST = "sqlite:///%(here)s/user_dev/kombu.db"
[plugins]
[[mediagoblin.plugins.basic_auth]]

28
mediagoblin/tests/basic_auth_appconfig.ini
View File

@ -1,28 +0,0 @@
[mediagoblin]
direct_remote_path = /test_static/
email_sender_address = "notice@mediagoblin.example.org"
email_debug_mode = true
no_auth = false
# TODO: Switch to using an in-memory database
sql_engine = "sqlite:///%(here)s/test_user_dev/mediagoblin.db"
# Celery shouldn't be set up by the application as it's setup via
# mediagoblin.init.celery.from_celery
celery_setup_elsewhere = true
[storage:publicstore]
base_dir = %(here)s/test_user_dev/media/public
base_url = /mgoblin_media/
[storage:queuestore]
base_dir = %(here)s/test_user_dev/media/queue
[celery]
CELERY_ALWAYS_EAGER = true
CELERY_RESULT_DBURI = "sqlite:///%(here)s/test_user_dev/celery.db"
BROKER_HOST = "sqlite:///%(here)s/test_user_dev/kombu.db"
[plugins]
[[mediagoblin.plugins.basic_auth]]

92
mediagoblin/tests/test_auth.py
View File

@ -13,9 +13,10 @@
# #
# You should have received a copy of the GNU Affero General Public License # You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
import urlparse
import datetime
import pkg_resources import pkg_resources
import pytest import pytest
import urlparse
from mediagoblin import mg_globals from mediagoblin import mg_globals
from mediagoblin.db.models import User from mediagoblin.db.models import User
@ -172,6 +173,86 @@ def test_register_views(test_app):
## TODO: Also check for double instances of an email address? ## TODO: Also check for double instances of an email address?
### Oops, forgot the password
# -------------------
template.clear_test_template_context()
response = test_app.post(
'/auth/forgot_password/',
{'username': u'happygirl'})
response.follow()
## Did we redirect to the proper page? Use the right template?
assert urlparse.urlsplit(response.location)[2] == '/auth/login/'
assert 'mediagoblin/auth/login.html' in template.TEMPLATE_TEST_CONTEXT
## Make sure link to change password is sent by email
assert len(mail.EMAIL_TEST_INBOX) == 1
message = mail.EMAIL_TEST_INBOX.pop()
assert message['To'] == 'happygrrl@example.org'
email_context = template.TEMPLATE_TEST_CONTEXT[
'mediagoblin/auth/fp_verification_email.txt']
#TODO - change the name of verification_url to something forgot-password-ish
assert email_context['verification_url'] in message.get_payload(decode=True)
path = urlparse.urlsplit(email_context['verification_url'])[2]
get_params = urlparse.urlsplit(email_context['verification_url'])[3]
assert path == u'/auth/forgot_password/verify/'
parsed_get_params = urlparse.parse_qs(get_params)
# user should have matching parameters
new_user = mg_globals.database.User.find_one({'username': u'happygirl'})
assert parsed_get_params['userid'] == [unicode(new_user.id)]
assert parsed_get_params['token'] == [new_user.fp_verification_key]
### The forgotten password token should be set to expire in ~ 10 days
# A few ticks have expired so there are only 9 full days left...
assert (new_user.fp_token_expire - datetime.datetime.now()).days == 9
## Try using a bs password-changing verification key, shouldn't work
template.clear_test_template_context()
response = test_app.get(
"/auth/forgot_password/verify/?userid=%s&token=total_bs" % unicode(
new_user.id), status=404)
assert response.status.split()[0] == u'404' # status="404 NOT FOUND"
## Try using an expired token to change password, shouldn't work
template.clear_test_template_context()
new_user = mg_globals.database.User.find_one({'username': u'happygirl'})
real_token_expiration = new_user.fp_token_expire
new_user.fp_token_expire = datetime.datetime.now()
new_user.save()
response = test_app.get("%s?%s" % (path, get_params), status=404)
assert response.status.split()[0] == u'404' # status="404 NOT FOUND"
new_user.fp_token_expire = real_token_expiration
new_user.save()
## Verify step 1 of password-change works -- can see form to change password
template.clear_test_template_context()
response = test_app.get("%s?%s" % (path, get_params))
assert 'mediagoblin/auth/change_fp.html' in template.TEMPLATE_TEST_CONTEXT
## Verify step 2.1 of password-change works -- report success to user
template.clear_test_template_context()
response = test_app.post(
'/auth/forgot_password/verify/', {
'userid': parsed_get_params['userid'],
'password': 'iamveryveryhappy',
'token': parsed_get_params['token']})
response.follow()
assert 'mediagoblin/auth/login.html' in template.TEMPLATE_TEST_CONTEXT
## Verify step 2.2 of password-change works -- login w/ new password success
template.clear_test_template_context()
response = test_app.post(
'/auth/login/', {
'username': u'happygirl',
'password': 'iamveryveryhappy'})
# User should be redirected
response.follow()
assert urlparse.urlsplit(response.location)[2] == '/'
assert 'mediagoblin/root.html' in template.TEMPLATE_TEST_CONTEXT
def test_authentication_views(test_app): def test_authentication_views(test_app):
""" """
@ -325,3 +406,12 @@ def test_no_auth_true_no_auth_plugin_app(no_auth_true_no_auth_plugin_app):
## Test check_login should return False ## Test check_login should return False
assert auth.check_login('test', 'simple') is False assert auth.check_login('test', 'simple') is False
# Try to visit the forgot password page
template.clear_test_template_context()
response = no_auth_true_no_auth_plugin_app.get('/auth/register/')
response.follow()
# Correct redirect?
assert urlparse.urlsplit(response.location)[2] == '/'
assert 'mediagoblin/root.html' in template.TEMPLATE_TEST_CONTEXT

107
mediagoblin/tests/test_basic_auth.py
View File

@ -13,15 +13,7 @@
# #
# You should have received a copy of the GNU Affero General Public License # You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
import urlparse
import datetime
import pkg_resources
import pytest
from mediagoblin.plugins.basic_auth import lib as auth_lib from mediagoblin.plugins.basic_auth import lib as auth_lib
from mediagoblin import mg_globals
from mediagoblin.tools import template, mail
from mediagoblin.tests.tools import get_app, fixture_add_user
from mediagoblin.tools.testing import _activate_testing from mediagoblin.tools.testing import _activate_testing
_activate_testing() _activate_testing()
@ -65,102 +57,3 @@ def test_bcrypt_gen_password_hash():
pw, hashed_pw, '3><7R45417') pw, hashed_pw, '3><7R45417')
assert not auth_lib.bcrypt_check_password( assert not auth_lib.bcrypt_check_password(
'notthepassword', hashed_pw, '3><7R45417') 'notthepassword', hashed_pw, '3><7R45417')
@pytest.fixture()
def context_modified_app(request):
return get_app(
request,
mgoblin_config=pkg_resources.resource_filename(
'mediagoblin.tests.auth_configs', 'basic_auth_appconfig.ini'))
def test_fp_view(context_modified_app):
### Oops, forgot the password
## Register a user
fixture_add_user(active_user=True)
# -------------------
template.clear_test_template_context()
response = context_modified_app.post(
'/auth/forgot_password/',
{'username': u'chris'})
response.follow()
## Did we redirect to the proper page? Use the right template?
assert urlparse.urlsplit(response.location)[2] == '/auth/login/'
assert 'mediagoblin/auth/login.html' in template.TEMPLATE_TEST_CONTEXT
## Make sure link to change password is sent by email
assert len(mail.EMAIL_TEST_INBOX) == 1
message = mail.EMAIL_TEST_INBOX.pop()
assert message['To'] == 'chris@example.com'
email_context = template.TEMPLATE_TEST_CONTEXT[
'mediagoblin/auth/fp_verification_email.txt']
#TODO - change the name of verification_url to something
# forgot-password-ish
assert email_context['verification_url'] in \
message.get_payload(decode=True)
path = urlparse.urlsplit(email_context['verification_url'])[2]
get_params = urlparse.urlsplit(email_context['verification_url'])[3]
assert path == u'/auth/forgot_password/verify/'
parsed_get_params = urlparse.parse_qs(get_params)
# user should have matching parameters
new_user = mg_globals.database.User.find_one({'username': u'chris'})
assert parsed_get_params['userid'] == [unicode(new_user.id)]
assert parsed_get_params['token'] == [new_user.fp_verification_key]
### The forgotten password token should be set to expire in ~ 10 days
# A few ticks have expired so there are only 9 full days left...
assert (new_user.fp_token_expire - datetime.datetime.now()).days == 9
## Try using a bs password-changing verification key, shouldn't work
template.clear_test_template_context()
response = context_modified_app.get(
"/auth/forgot_password/verify/?userid=%s&token=total_bs" % unicode(
new_user.id), status=404)
assert response.status.split()[0] == u'404' # status="404 NOT FOUND"
## Try using an expired token to change password, shouldn't work
template.clear_test_template_context()
new_user = mg_globals.database.User.find_one({'username': u'chris'})
real_token_expiration = new_user.fp_token_expire
new_user.fp_token_expire = datetime.datetime.now()
new_user.save()
response = context_modified_app.get("%s?%s" % (path, get_params),
status=404)
assert response.status.split()[0] == u'404' # status="404 NOT FOUND"
new_user.fp_token_expire = real_token_expiration
new_user.save()
## Verify step 1 of password-change works -- can see form to
## change password
template.clear_test_template_context()
response = context_modified_app.get("%s?%s" % (path, get_params))
assert 'mediagoblin/plugins/basic_auth/change_fp.html' \
in template.TEMPLATE_TEST_CONTEXT
## Verify step 2.1 of password-change works -- report success to user
template.clear_test_template_context()
response = context_modified_app.post(
'/auth/forgot_password/verify/', {
'userid': parsed_get_params['userid'],
'password': 'iamveryveryhappy',
'token': parsed_get_params['token']})
response.follow()
assert 'mediagoblin/auth/login.html' in template.TEMPLATE_TEST_CONTEXT
## Verify step 2.2 of password-change works -- login w/ new password
## success
template.clear_test_template_context()
response = context_modified_app.post(
'/auth/login/', {
'username': u'chris',
'password': 'iamveryveryhappy'})
# User should be redirected
response.follow()
assert urlparse.urlsplit(response.location)[2] == '/'
assert 'mediagoblin/root.html' in template.TEMPLATE_TEST_CONTEXT