From f339b76a4ee04571bd0a94d20a5d53d7f3d8d235 Mon Sep 17 00:00:00 2001 From: Rodney Ewing Date: Fri, 24 May 2013 18:09:57 -0700 Subject: [PATCH] moving forgot_password views back to gmg/auth and cleanup --- mediagoblin/auth/routing.py | 7 +- mediagoblin/auth/tools.py | 31 +++- mediagoblin/auth/views.py | 15 +- mediagoblin/plugins/basic_auth/__init__.py | 5 +- mediagoblin/plugins/basic_auth/forms.py | 22 +-- mediagoblin/plugins/basic_auth/lib.py | 35 ---- .../plugins/basic_auth/change_fp.html | 44 ----- .../plugins/basic_auth/forgot_password.html | 38 ---- mediagoblin/plugins/basic_auth/views.py | 165 ------------------ .../mediagoblin/auth/forgot_password.html | 2 +- .../templates/mediagoblin/auth/login.html | 2 + .../auth_configs/basic_auth_appconfig.ini | 28 --- mediagoblin/tests/basic_auth_appconfig.ini | 28 --- mediagoblin/tests/test_auth.py | 92 +++++++++- mediagoblin/tests/test_basic_auth.py | 107 ------------ 15 files changed, 144 insertions(+), 477 deletions(-) delete mode 100644 mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/change_fp.html delete mode 100644 mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/forgot_password.html delete mode 100644 mediagoblin/plugins/basic_auth/views.py delete mode 100644 mediagoblin/tests/auth_configs/basic_auth_appconfig.ini delete mode 100644 mediagoblin/tests/basic_auth_appconfig.ini diff --git a/mediagoblin/auth/routing.py b/mediagoblin/auth/routing.py index 7a688a49..2a6abb47 100644 --- a/mediagoblin/auth/routing.py +++ b/mediagoblin/auth/routing.py @@ -25,4 +25,9 @@ auth_routes = [ ('mediagoblin.auth.verify_email', '/verify_email/', 'mediagoblin.auth.views:verify_email'), ('mediagoblin.auth.resend_verification', '/resend_verification/', - 'mediagoblin.auth.views:resend_activation')] + 'mediagoblin.auth.views:resend_activation'), + ('mediagoblin.auth.forgot_password', '/forgot_password/', + 'mediagoblin.auth.views:forgot_password'), + ('mediagoblin.auth.verify_forgot_password', + '/forgot_password/verify/', + 'mediagoblin.auth.views:verify_forgot_password')] diff --git a/mediagoblin/auth/tools.py b/mediagoblin/auth/tools.py index ac2f6504..3e3c36f0 100644 --- a/mediagoblin/auth/tools.py +++ b/mediagoblin/auth/tools.py @@ -22,7 +22,6 @@ from mediagoblin.tools.mail import normalize_email, send_email from mediagoblin.tools.translate import lazy_pass_to_ugettext as _ from mediagoblin.tools.template import render_template from mediagoblin.tools.pluginapi import hook_handle -from mediagoblin.tools.response import redirect from mediagoblin import auth from mediagoblin.db.models import User @@ -174,3 +173,33 @@ def send_verification_email(user, request): # example "GNU MediaGoblin @ Wandborg - [...]". 'GNU MediaGoblin - Verify your email!', rendered_email) + + +EMAIL_FP_VERIFICATION_TEMPLATE = ( + u"http://{host}{uri}?" + u"userid={userid}&token={fp_verification_key}") + + +def send_fp_verification_email(user, request): + """ + Send the verification email to users to change their password. + + Args: + - user: a user object + - request: the request + """ + rendered_email = render_template( + request, 'mediagoblin/auth/fp_verification_email.txt', + {'username': user.username, + 'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format( + host=request.host, + uri=request.urlgen('mediagoblin.auth.verify_forgot_password'), + userid=unicode(user.id), + fp_verification_key=user.fp_verification_key)}) + + # TODO: There is no error handling in place + send_email( + mg_globals.app_config['email_sender_address'], + [user.email], + 'GNU MediaGoblin - Change forgotten password!', + rendered_email) diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py index 5a360bd0..a21a92e9 100644 --- a/mediagoblin/auth/views.py +++ b/mediagoblin/auth/views.py @@ -15,6 +15,7 @@ # along with this program. If not, see . import uuid +import datetime from mediagoblin import messages, mg_globals from mediagoblin.db.models import User @@ -23,7 +24,8 @@ from mediagoblin.tools.translate import pass_to_ugettext as _ from mediagoblin.auth import lib as auth_lib from mediagoblin.auth import forms as auth_forms from mediagoblin.auth.tools import (send_verification_email, - register_user, email_debug_message) + register_user, email_debug_message, + send_fp_verification_email) from mediagoblin import auth @@ -208,13 +210,17 @@ def forgot_password(request): Sends an email with an url to renew forgotten password. Use GET querystring parameter 'username' to pre-populate the input field """ + if not 'pass_auth' in request.template_env.globals: + return redirect(request, 'index') + fp_form = auth_forms.ForgotPassForm(request.form, username=request.args.get('username')) if not (request.method == 'POST' and fp_form.validate()): # Either GET request, or invalid form submitted. Display the template return render_to_response(request, - 'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form}) + 'mediagoblin/auth/forgot_password.html', {'fp_form': fp_form, + 'focus': 'username'}) # If we are here: method == POST and form is valid. username casing # has been sanitized. Store if a user was found by email. We should @@ -310,7 +316,8 @@ def verify_forgot_password(request): return render_to_response( request, 'mediagoblin/auth/change_fp.html', - {'cp_form': cp_form}) + {'cp_form': cp_form, + 'focus': 'password'}) # in case there is a valid id but no user with that id in the db # or the token expired @@ -334,6 +341,6 @@ def _process_for_token(request): formdata = { 'vars': formdata_vars, 'has_userid_and_token': - 'userid' in formdata_vars and 'token' in formdata_vars} + 'userid' in formdata_vars and 'token' in formdata_vars} return formdata diff --git a/mediagoblin/plugins/basic_auth/__init__.py b/mediagoblin/plugins/basic_auth/__init__.py index 2d6f7dbd..2fe161cb 100644 --- a/mediagoblin/plugins/basic_auth/__init__.py +++ b/mediagoblin/plugins/basic_auth/__init__.py @@ -13,11 +13,10 @@ # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . -import os import uuid -import forms as auth_forms -import lib as auth_lib +from mediagoblin.plugins.basic_auth import forms as auth_forms +from mediagoblin.plugins.basic_auth import lib as auth_lib from mediagoblin.db.models import User from mediagoblin.tools import pluginapi from sqlalchemy import or_ diff --git a/mediagoblin/plugins/basic_auth/forms.py b/mediagoblin/plugins/basic_auth/forms.py index 8321c227..f389b21e 100644 --- a/mediagoblin/plugins/basic_auth/forms.py +++ b/mediagoblin/plugins/basic_auth/forms.py @@ -26,7 +26,7 @@ class RegistrationForm(wtforms.Form): normalize_user_or_email_field(allow_email=False)]) password = wtforms.PasswordField( _('Password'), - [wtforms.validators.Optional(), + [wtforms.validators.Required(), wtforms.validators.Length(min=5, max=1024)]) email = wtforms.TextField( _('Email address'), @@ -43,23 +43,3 @@ class LoginForm(wtforms.Form): _('Password'), [wtforms.validators.Required(), wtforms.validators.Length(min=5, max=1024)]) - - -class ForgotPassForm(wtforms.Form): - username = wtforms.TextField( - _('Username or email'), - [wtforms.validators.Required(), - normalize_user_or_email_field()]) - - -class ChangePassForm(wtforms.Form): - password = wtforms.PasswordField( - 'Password', - [wtforms.validators.Required(), - wtforms.validators.Length(min=5, max=1024)]) - userid = wtforms.HiddenField( - '', - [wtforms.validators.Required()]) - token = wtforms.HiddenField( - '', - [wtforms.validators.Required()]) diff --git a/mediagoblin/plugins/basic_auth/lib.py b/mediagoblin/plugins/basic_auth/lib.py index 999abfd9..1300bb9a 100644 --- a/mediagoblin/plugins/basic_auth/lib.py +++ b/mediagoblin/plugins/basic_auth/lib.py @@ -16,10 +16,6 @@ import bcrypt import random -from mediagoblin.tools.template import render_template -from mediagoblin.tools.mail import send_email -from mediagoblin import mg_globals - def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None): """ @@ -69,37 +65,6 @@ def bcrypt_gen_password_hash(raw_pass, extra_salt=None): bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt())) -EMAIL_FP_VERIFICATION_TEMPLATE = ( - u"http://{host}{uri}?" - u"userid={userid}&token={fp_verification_key}") - - -def send_fp_verification_email(user, request): - """ - Send the verification email to users to change their password. - - Args: - - user: a user object - - request: the request - """ - rendered_email = render_template( - request, 'mediagoblin/auth/fp_verification_email.txt', - {'username': user.username, - 'verification_url': EMAIL_FP_VERIFICATION_TEMPLATE.format( - host=request.host, - uri=request.urlgen('mediagoblin.plugins.' + - 'basic_auth.verify_forgot_password'), - userid=unicode(user.id), - fp_verification_key=user.fp_verification_key)}) - - # TODO: There is no error handling in place - send_email( - mg_globals.app_config['email_sender_address'], - [user.email], - 'GNU MediaGoblin - Change forgotten password!', - rendered_email) - - def fake_login_attempt(): """ Pretend we're trying to login. diff --git a/mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/change_fp.html b/mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/change_fp.html deleted file mode 100644 index 9ce12e13..00000000 --- a/mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/change_fp.html +++ /dev/null @@ -1,44 +0,0 @@ -{# -# GNU MediaGoblin -- federated, autonomous media hosting -# Copyright (C) 2011 Free Software Foundation, Inc -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . -#} -{% extends "mediagoblin/base.html" %} - -{% import "/mediagoblin/utils/wtforms.html" as wtforms_util %} - -{% block mediagoblin_head %} - -{% endblock mediagoblin_head %} - -{% block title -%} - {% trans %}Set your new password{% endtrans %} — {{ super() }} -{%- endblock %} - -{% block mediagoblin_content %} -
- {{ csrf_token }} -
-

{% trans %}Set your new password{% endtrans %}

- {{ wtforms_util.render_divs(cp_form) }} -
- -
-
-
-{% endblock %} - diff --git a/mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/forgot_password.html b/mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/forgot_password.html deleted file mode 100644 index 98cd9a06..00000000 --- a/mediagoblin/plugins/basic_auth/templates/mediagoblin/plugins/basic_auth/forgot_password.html +++ /dev/null @@ -1,38 +0,0 @@ -{# -# GNU MediaGoblin -- federated, autonomous media hosting -# Copyright (C) 2011 Free Software Foundation, Inc -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . -#} -{% extends "mediagoblin/base.html" %} - -{% import "/mediagoblin/utils/wtforms.html" as wtforms_util %} - -{% block title -%} - {% trans %}Recover password{% endtrans %} — {{ super() }} -{%- endblock %} - -{% block mediagoblin_content %} -
- {{ csrf_token }} -
-

{% trans %}Recover password{% endtrans %}

- {{ wtforms_util.render_divs(fp_form) }} -
- -
-
-
-{% endblock %} diff --git a/mediagoblin/plugins/basic_auth/views.py b/mediagoblin/plugins/basic_auth/views.py deleted file mode 100644 index 69d2c52a..00000000 --- a/mediagoblin/plugins/basic_auth/views.py +++ /dev/null @@ -1,165 +0,0 @@ -# GNU MediaGoblin -- federated, autonomous media hosting -# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS. -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . -import uuid -import datetime - -import forms as auth_forms -from mediagoblin.tools.response import render_to_response, redirect, render_404 -from mediagoblin.db.models import User -from mediagoblin.tools.translate import pass_to_ugettext as _ -from mediagoblin import messages -from mediagoblin.auth.views import email_debug_message -from mediagoblin.auth.lib import send_fp_verification_email -from mediagoblin.auth import lib as auth_lib - - - -def forgot_password(request): - """ - Forgot password view - - Sends an email with an url to renew forgotten password. - Use GET querystring parameter 'username' to pre-populate the input field - """ - fp_form = auth_forms.ForgotPassForm(request.form, - username=request.args.get('username')) - - if not (request.method == 'POST' and fp_form.validate()): - # Either GET request, or invalid form submitted. Display the template - return render_to_response(request, - 'mediagoblin/plugins/basic_auth/forgot_password.html', {'fp_form': fp_form}) - - # If we are here: method == POST and form is valid. username casing - # has been sanitized. Store if a user was found by email. We should - # not reveal if the operation was successful then as we don't want to - # leak if an email address exists in the system. - found_by_email = '@' in fp_form.username.data - - if found_by_email: - user = User.query.filter_by( - email=fp_form.username.data).first() - # Don't reveal success in case the lookup happened by email address. - success_message = _("If that email address (case sensitive!) is " - "registered an email has been sent with " - "instructions on how to change your password.") - - else: # found by username - user = User.query.filter_by( - username=fp_form.username.data).first() - - if user is None: - messages.add_message(request, - messages.WARNING, - _("Couldn't find someone with that username.")) - return redirect(request, 'mediagoblin.auth.forgot_password') - - success_message = _("An email has been sent with instructions " - "on how to change your password.") - - if user and not(user.email_verified and user.status == 'active'): - # Don't send reminder because user is inactive or has no verified email - messages.add_message(request, - messages.WARNING, - _("Could not send password recovery email as your username is in" - "active or your account's email address has not been verified.")) - - return redirect(request, 'mediagoblin.user_pages.user_home', - user=user.username) - - # SUCCESS. Send reminder and return to login page - if user: - user.fp_verification_key = unicode(uuid.uuid4()) - user.fp_token_expire = datetime.datetime.now() + \ - datetime.timedelta(days=10) - user.save() - - email_debug_message(request) - send_fp_verification_email(user, request) - - messages.add_message(request, messages.INFO, success_message) - return redirect(request, 'mediagoblin.auth.login') - - -def verify_forgot_password(request): - """ - Check the forgot-password verification and possibly let the user - change their password because of it. - """ - # get form data variables, and specifically check for presence of token - formdata = _process_for_token(request) - if not formdata['has_userid_and_token']: - return render_404(request) - - formdata_token = formdata['vars']['token'] - formdata_userid = formdata['vars']['userid'] - formdata_vars = formdata['vars'] - - # check if it's a valid user id - user = User.query.filter_by(id=formdata_userid).first() - if not user: - return render_404(request) - - # check if we have a real user and correct token - if ((user and user.fp_verification_key and - user.fp_verification_key == unicode(formdata_token) and - datetime.datetime.now() < user.fp_token_expire - and user.email_verified and user.status == 'active')): - - cp_form = auth_forms.ChangePassForm(formdata_vars) - - if request.method == 'POST' and cp_form.validate(): - user.pw_hash = auth_lib.bcrypt_gen_password_hash( - cp_form.password.data) - user.fp_verification_key = None - user.fp_token_expire = None - user.save() - - messages.add_message( - request, - messages.INFO, - _("You can now log in using your new password.")) - return redirect(request, 'mediagoblin.auth.login') - else: - return render_to_response( - request, - 'mediagoblin/plugins/basic_auth/change_fp.html', - {'cp_form': cp_form}) - - # in case there is a valid id but no user with that id in the db - # or the token expired - else: - return render_404(request) - - -def _process_for_token(request): - """ - Checks for tokens in formdata without prior knowledge of request method - - For now, returns whether the userid and token formdata variables exist, and - the formdata variables in a hash. Perhaps an object is warranted? - """ - # retrieve the formdata variables - if request.method == 'GET': - formdata_vars = request.GET - else: - formdata_vars = request.form - - formdata = { - 'vars': formdata_vars, - 'has_userid_and_token': - 'userid' in formdata_vars and 'token' in formdata_vars} - - return formdata diff --git a/mediagoblin/templates/mediagoblin/auth/forgot_password.html b/mediagoblin/templates/mediagoblin/auth/forgot_password.html index 6a74e2a2..a6c9e1e9 100644 --- a/mediagoblin/templates/mediagoblin/auth/forgot_password.html +++ b/mediagoblin/templates/mediagoblin/auth/forgot_password.html @@ -24,7 +24,7 @@ {%- endblock %} {% block mediagoblin_content %} -
{{ csrf_token }}
diff --git a/mediagoblin/templates/mediagoblin/auth/login.html b/mediagoblin/templates/mediagoblin/auth/login.html index 6ec5d343..2adbe547 100644 --- a/mediagoblin/templates/mediagoblin/auth/login.html +++ b/mediagoblin/templates/mediagoblin/auth/login.html @@ -46,10 +46,12 @@

{% endif %} {{ wtforms_util.render_divs(login_form) }} + {% if pass_auth %}

{% trans %}Forgot your password?{% endtrans %}

+ {% endif %}
diff --git a/mediagoblin/tests/auth_configs/basic_auth_appconfig.ini b/mediagoblin/tests/auth_configs/basic_auth_appconfig.ini deleted file mode 100644 index b8c246f4..00000000 --- a/mediagoblin/tests/auth_configs/basic_auth_appconfig.ini +++ /dev/null @@ -1,28 +0,0 @@ -[mediagoblin] -direct_remote_path = /test_static/ -email_sender_address = "notice@mediagoblin.example.org" -email_debug_mode = true -no_auth = false - -# TODO: Switch to using an in-memory database -sql_engine = "sqlite:///%(here)s/user_dev/mediagoblin.db" - -# Celery shouldn't be set up by the application as it's setup via -# mediagoblin.init.celery.from_celery -celery_setup_elsewhere = true - -[storage:publicstore] -base_dir = %(here)s/user_dev/media/public -base_url = /mgoblin_media/ - -[storage:queuestore] -base_dir = %(here)s/user_dev/media/queue - -[celery] -CELERY_ALWAYS_EAGER = true -CELERY_RESULT_DBURI = "sqlite:///%(here)s/user_dev/celery.db" -BROKER_HOST = "sqlite:///%(here)s/user_dev/kombu.db" - -[plugins] -[[mediagoblin.plugins.basic_auth]] - diff --git a/mediagoblin/tests/basic_auth_appconfig.ini b/mediagoblin/tests/basic_auth_appconfig.ini deleted file mode 100644 index b15ae1fb..00000000 --- a/mediagoblin/tests/basic_auth_appconfig.ini +++ /dev/null @@ -1,28 +0,0 @@ -[mediagoblin] -direct_remote_path = /test_static/ -email_sender_address = "notice@mediagoblin.example.org" -email_debug_mode = true -no_auth = false - -# TODO: Switch to using an in-memory database -sql_engine = "sqlite:///%(here)s/test_user_dev/mediagoblin.db" - -# Celery shouldn't be set up by the application as it's setup via -# mediagoblin.init.celery.from_celery -celery_setup_elsewhere = true - -[storage:publicstore] -base_dir = %(here)s/test_user_dev/media/public -base_url = /mgoblin_media/ - -[storage:queuestore] -base_dir = %(here)s/test_user_dev/media/queue - -[celery] -CELERY_ALWAYS_EAGER = true -CELERY_RESULT_DBURI = "sqlite:///%(here)s/test_user_dev/celery.db" -BROKER_HOST = "sqlite:///%(here)s/test_user_dev/kombu.db" - -[plugins] -[[mediagoblin.plugins.basic_auth]] - diff --git a/mediagoblin/tests/test_auth.py b/mediagoblin/tests/test_auth.py index c67d523f..ee916c43 100644 --- a/mediagoblin/tests/test_auth.py +++ b/mediagoblin/tests/test_auth.py @@ -13,9 +13,10 @@ # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . +import urlparse +import datetime import pkg_resources import pytest -import urlparse from mediagoblin import mg_globals from mediagoblin.db.models import User @@ -172,6 +173,86 @@ def test_register_views(test_app): ## TODO: Also check for double instances of an email address? + ### Oops, forgot the password + # ------------------- + template.clear_test_template_context() + response = test_app.post( + '/auth/forgot_password/', + {'username': u'happygirl'}) + response.follow() + + ## Did we redirect to the proper page? Use the right template? + assert urlparse.urlsplit(response.location)[2] == '/auth/login/' + assert 'mediagoblin/auth/login.html' in template.TEMPLATE_TEST_CONTEXT + + ## Make sure link to change password is sent by email + assert len(mail.EMAIL_TEST_INBOX) == 1 + message = mail.EMAIL_TEST_INBOX.pop() + assert message['To'] == 'happygrrl@example.org' + email_context = template.TEMPLATE_TEST_CONTEXT[ + 'mediagoblin/auth/fp_verification_email.txt'] + #TODO - change the name of verification_url to something forgot-password-ish + assert email_context['verification_url'] in message.get_payload(decode=True) + + path = urlparse.urlsplit(email_context['verification_url'])[2] + get_params = urlparse.urlsplit(email_context['verification_url'])[3] + assert path == u'/auth/forgot_password/verify/' + parsed_get_params = urlparse.parse_qs(get_params) + + # user should have matching parameters + new_user = mg_globals.database.User.find_one({'username': u'happygirl'}) + assert parsed_get_params['userid'] == [unicode(new_user.id)] + assert parsed_get_params['token'] == [new_user.fp_verification_key] + + ### The forgotten password token should be set to expire in ~ 10 days + # A few ticks have expired so there are only 9 full days left... + assert (new_user.fp_token_expire - datetime.datetime.now()).days == 9 + + ## Try using a bs password-changing verification key, shouldn't work + template.clear_test_template_context() + response = test_app.get( + "/auth/forgot_password/verify/?userid=%s&token=total_bs" % unicode( + new_user.id), status=404) + assert response.status.split()[0] == u'404' # status="404 NOT FOUND" + + ## Try using an expired token to change password, shouldn't work + template.clear_test_template_context() + new_user = mg_globals.database.User.find_one({'username': u'happygirl'}) + real_token_expiration = new_user.fp_token_expire + new_user.fp_token_expire = datetime.datetime.now() + new_user.save() + response = test_app.get("%s?%s" % (path, get_params), status=404) + assert response.status.split()[0] == u'404' # status="404 NOT FOUND" + new_user.fp_token_expire = real_token_expiration + new_user.save() + + ## Verify step 1 of password-change works -- can see form to change password + template.clear_test_template_context() + response = test_app.get("%s?%s" % (path, get_params)) + assert 'mediagoblin/auth/change_fp.html' in template.TEMPLATE_TEST_CONTEXT + + ## Verify step 2.1 of password-change works -- report success to user + template.clear_test_template_context() + response = test_app.post( + '/auth/forgot_password/verify/', { + 'userid': parsed_get_params['userid'], + 'password': 'iamveryveryhappy', + 'token': parsed_get_params['token']}) + response.follow() + assert 'mediagoblin/auth/login.html' in template.TEMPLATE_TEST_CONTEXT + + ## Verify step 2.2 of password-change works -- login w/ new password success + template.clear_test_template_context() + response = test_app.post( + '/auth/login/', { + 'username': u'happygirl', + 'password': 'iamveryveryhappy'}) + + # User should be redirected + response.follow() + assert urlparse.urlsplit(response.location)[2] == '/' + assert 'mediagoblin/root.html' in template.TEMPLATE_TEST_CONTEXT + def test_authentication_views(test_app): """ @@ -325,3 +406,12 @@ def test_no_auth_true_no_auth_plugin_app(no_auth_true_no_auth_plugin_app): ## Test check_login should return False assert auth.check_login('test', 'simple') is False + + # Try to visit the forgot password page + template.clear_test_template_context() + response = no_auth_true_no_auth_plugin_app.get('/auth/register/') + response.follow() + + # Correct redirect? + assert urlparse.urlsplit(response.location)[2] == '/' + assert 'mediagoblin/root.html' in template.TEMPLATE_TEST_CONTEXT diff --git a/mediagoblin/tests/test_basic_auth.py b/mediagoblin/tests/test_basic_auth.py index a985c315..1b76aa3f 100644 --- a/mediagoblin/tests/test_basic_auth.py +++ b/mediagoblin/tests/test_basic_auth.py @@ -13,15 +13,7 @@ # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . -import urlparse -import datetime -import pkg_resources -import pytest - from mediagoblin.plugins.basic_auth import lib as auth_lib -from mediagoblin import mg_globals -from mediagoblin.tools import template, mail -from mediagoblin.tests.tools import get_app, fixture_add_user from mediagoblin.tools.testing import _activate_testing _activate_testing() @@ -65,102 +57,3 @@ def test_bcrypt_gen_password_hash(): pw, hashed_pw, '3><7R45417') assert not auth_lib.bcrypt_check_password( 'notthepassword', hashed_pw, '3><7R45417') - - -@pytest.fixture() -def context_modified_app(request): - return get_app( - request, - mgoblin_config=pkg_resources.resource_filename( - 'mediagoblin.tests.auth_configs', 'basic_auth_appconfig.ini')) - - -def test_fp_view(context_modified_app): - ### Oops, forgot the password - ## Register a user - fixture_add_user(active_user=True) - - # ------------------- - template.clear_test_template_context() - response = context_modified_app.post( - '/auth/forgot_password/', - {'username': u'chris'}) - response.follow() - - ## Did we redirect to the proper page? Use the right template? - assert urlparse.urlsplit(response.location)[2] == '/auth/login/' - assert 'mediagoblin/auth/login.html' in template.TEMPLATE_TEST_CONTEXT - - ## Make sure link to change password is sent by email - assert len(mail.EMAIL_TEST_INBOX) == 1 - message = mail.EMAIL_TEST_INBOX.pop() - assert message['To'] == 'chris@example.com' - email_context = template.TEMPLATE_TEST_CONTEXT[ - 'mediagoblin/auth/fp_verification_email.txt'] - #TODO - change the name of verification_url to something - # forgot-password-ish - assert email_context['verification_url'] in \ - message.get_payload(decode=True) - - path = urlparse.urlsplit(email_context['verification_url'])[2] - get_params = urlparse.urlsplit(email_context['verification_url'])[3] - assert path == u'/auth/forgot_password/verify/' - parsed_get_params = urlparse.parse_qs(get_params) - - # user should have matching parameters - new_user = mg_globals.database.User.find_one({'username': u'chris'}) - assert parsed_get_params['userid'] == [unicode(new_user.id)] - assert parsed_get_params['token'] == [new_user.fp_verification_key] - - ### The forgotten password token should be set to expire in ~ 10 days - # A few ticks have expired so there are only 9 full days left... - assert (new_user.fp_token_expire - datetime.datetime.now()).days == 9 - - ## Try using a bs password-changing verification key, shouldn't work - template.clear_test_template_context() - response = context_modified_app.get( - "/auth/forgot_password/verify/?userid=%s&token=total_bs" % unicode( - new_user.id), status=404) - assert response.status.split()[0] == u'404' # status="404 NOT FOUND" - - ## Try using an expired token to change password, shouldn't work - template.clear_test_template_context() - new_user = mg_globals.database.User.find_one({'username': u'chris'}) - real_token_expiration = new_user.fp_token_expire - new_user.fp_token_expire = datetime.datetime.now() - new_user.save() - response = context_modified_app.get("%s?%s" % (path, get_params), - status=404) - assert response.status.split()[0] == u'404' # status="404 NOT FOUND" - new_user.fp_token_expire = real_token_expiration - new_user.save() - - ## Verify step 1 of password-change works -- can see form to - ## change password - template.clear_test_template_context() - response = context_modified_app.get("%s?%s" % (path, get_params)) - assert 'mediagoblin/plugins/basic_auth/change_fp.html' \ - in template.TEMPLATE_TEST_CONTEXT - - ## Verify step 2.1 of password-change works -- report success to user - template.clear_test_template_context() - response = context_modified_app.post( - '/auth/forgot_password/verify/', { - 'userid': parsed_get_params['userid'], - 'password': 'iamveryveryhappy', - 'token': parsed_get_params['token']}) - response.follow() - assert 'mediagoblin/auth/login.html' in template.TEMPLATE_TEST_CONTEXT - - ## Verify step 2.2 of password-change works -- login w/ new password - ## success - template.clear_test_template_context() - response = context_modified_app.post( - '/auth/login/', { - 'username': u'chris', - 'password': 'iamveryveryhappy'}) - - # User should be redirected - response.follow() - assert urlparse.urlsplit(response.location)[2] == '/' - assert 'mediagoblin/root.html' in template.TEMPLATE_TEST_CONTEXT -- 2.25.1