add passreset routes

Introduced `get|post` `/passreset` routes. These routes mimic the behavior of the existing PHP implementation, with the exception of HTTP status code returns. Routes added: GET /passreset POST /passreset Routers added: aurweb.routers.accounts * On an unknown user or mismatched resetkey (where resetkey must == user.resetkey), return HTTP status NOT_FOUND (404). * On another error in the request, return HTTP status BAD_REQUEST (400). Both `get|post` routes requires that the current user is **not** authenticated, hence `@auth_required(False, redirect="/")`. + Added auth_required decorator to aurweb.auth. + Added some more utility to aurweb.models.user.User. + Added `partials/error.html` template. + Added `passreset.html` template. + Added aurweb.db.ConnectionExecutor functor for paramstyle logic. Decoupling the executor logic from the database connection logic is needed for us to easily use the same logic with a fastapi database session, when we need to use aurweb.scripts modules. At this point, notification configuration is now required to complete tests involved with notifications properly, like passreset. `conf/config.dev` has been modified to include [notifications] sendmail, sender and reply-to overrides. Dockerfile and .gitlab-ci.yml have been updated to setup /etc/hosts and start postfix before running tests. * setup.cfg: ignore E741, C901 in aurweb.routers.accounts These two warnings (shown in the commit) are not dangerous and a bi-product of maintaining compatibility with our current code flow. Signed-off-by: Kevin Morris <kevr@0cost.org>
2025-02-03 10:43:03 +01:00 · 2021-01-06 21:00:12 -08:00 · 2021-01-06 21:00:12 -08:00 · a33d076d8b
commit a33d076d8b
parent 4423326cec
15 changed files with 552 additions and 41 deletions
--- a/test/test_auth_routes.py
+++ b/test/test_auth_routes.py
@ -14,8 +14,12 @@ from aurweb.models.session import Session
 from aurweb.testing import setup_test_db
 from aurweb.testing.models import make_user

-client = TestClient(app)
+# Some test global constants.
+TEST_USERNAME = "test"
+TEST_EMAIL = "test@example.org"

+# Global mutables.
+client = TestClient(app)
 user = None


@ -27,7 +31,8 @@ def setup():

    account_type = query(AccountType,
                         AccountType.AccountType == "User").first()
-    user = make_user(Username="test", Email="test@example.org",
+
+    user = make_user(Username=TEST_USERNAME, Email=TEST_EMAIL,
                     RealName="Test User", Passwd="testPassword",
                     AccountType=account_type)

@ -40,16 +45,16 @@ def test_login_logout():
    }

    with client as request:
-        response = client.get("/login")
+        # First, let's test get /login.
+        response = request.get("/login")
        assert response.status_code == int(HTTPStatus.OK)

        response = request.post("/login", data=post_data,
                                allow_redirects=False)
        assert response.status_code == int(HTTPStatus.SEE_OTHER)

-        response = request.get(response.headers.get("location"), cookies={
-            "AURSID": response.cookies.get("AURSID")
-        })
+        # Simulate following the redirect location from above's response.
+        response = request.get(response.headers.get("location"))
        assert response.status_code == int(HTTPStatus.OK)

        response = request.post("/logout", data=post_data,
@ -60,9 +65,37 @@ def test_login_logout():
            "AURSID": response.cookies.get("AURSID")
        }, allow_redirects=False)
        assert response.status_code == int(HTTPStatus.SEE_OTHER)
+
    assert "AURSID" not in response.cookies


+def test_authenticated_login_forbidden():
+    post_data = {
+        "user": "test",
+        "passwd": "testPassword",
+        "next": "/"
+    }
+
+    with client as request:
+        # Login.
+        response = request.post("/login", data=post_data,
+                                allow_redirects=False)
+        assert response.status_code == int(HTTPStatus.SEE_OTHER)
+
+        # Now, let's verify that we receive 403 Forbidden when we
+        # try to get /login as an authenticated user.
+        response = request.get("/login", allow_redirects=False)
+        assert response.status_code == int(HTTPStatus.SEE_OTHER)
+
+
+def test_unauthenticated_logout_unauthorized():
+    with client as request:
+        # Alright, let's verify that attempting to /logout when not
+        # authenticated returns 401 Unauthorized.
+        response = request.get("/logout", allow_redirects=False)
+        assert response.status_code == int(HTTPStatus.SEE_OTHER)
+
+
 def test_login_missing_username():
    post_data = {
        "passwd": "testPassword",
@ -75,8 +108,6 @@ def test_login_missing_username():


 def test_login_remember_me():
-    from aurweb.db import session
-
    post_data = {
        "user": "test",
        "passwd": "testPassword",
@ -94,8 +125,8 @@ def test_login_remember_me():
        "options", "persistent_cookie_timeout")
    expected_ts = datetime.utcnow().timestamp() + cookie_timeout

-    _session = session.query(Session).filter(
-        Session.UsersID == user.ID).first()
+    _session = query(Session,
+                     Session.UsersID == user.ID).first()

    # Expect that LastUpdateTS was within 5 seconds of the expected_ts,
    # which is equal to the current timestamp + persistent_cookie_timeout.