Hash authentication tokens before storing in the database.
This commit is contained in:
@@ -78,6 +78,8 @@ class AuthenticationTests(AbstractPillarTest):
|
||||
|
||||
from pillar.api.utils import authentication as auth
|
||||
|
||||
self.enter_app_context()
|
||||
|
||||
user_id = self.create_user()
|
||||
|
||||
now = datetime.datetime.now(tz_util.utc)
|
||||
@@ -85,10 +87,15 @@ class AuthenticationTests(AbstractPillarTest):
|
||||
past = now - datetime.timedelta(days=1)
|
||||
subclient = self.app.config['BLENDER_ID_SUBCLIENT_ID']
|
||||
|
||||
with self.app.test_request_context():
|
||||
auth.store_token(user_id, 'nonexpired-main', future, None)
|
||||
auth.store_token(user_id, 'nonexpired-sub', future, subclient)
|
||||
token3 = auth.store_token(user_id, 'expired-sub', past, subclient)
|
||||
auth.store_token(user_id, 'nonexpired-main', future, None)
|
||||
auth.store_token(user_id, 'nonexpired-sub', future, subclient)
|
||||
token3 = auth.store_token(user_id, 'expired-sub', past, subclient)
|
||||
|
||||
# We should not find the given tokens as unhashed tokens.
|
||||
tokens_coll = self.app.db('tokens')
|
||||
self.assertIsNone(tokens_coll.find_one({'token': 'nonespired-main'}))
|
||||
self.assertIsNone(tokens_coll.find_one({'token': 'nonespired-sub'}))
|
||||
self.assertIsNone(tokens_coll.find_one({'token': 'expired-sub'}))
|
||||
|
||||
with self.app.test_request_context(
|
||||
headers={'Authorization': self.make_header('nonexpired-main')}):
|
||||
@@ -172,19 +179,19 @@ class AuthenticationTests(AbstractPillarTest):
|
||||
with self.app.test_request_context():
|
||||
from pillar.api.utils import authentication as auth
|
||||
|
||||
auth.store_token(user_id, 'long-expired',
|
||||
now - datetime.timedelta(days=365), None)
|
||||
auth.store_token(user_id, 'short-expired',
|
||||
now - datetime.timedelta(seconds=5), None)
|
||||
auth.store_token(user_id, 'not-expired',
|
||||
now + datetime.timedelta(days=1), None)
|
||||
tokdat_le = auth.store_token(user_id, 'long-expired',
|
||||
now - datetime.timedelta(days=365), None)
|
||||
tokdat_se = auth.store_token(user_id, 'short-expired',
|
||||
now - datetime.timedelta(seconds=5), None)
|
||||
tokdat_ne = auth.store_token(user_id, 'not-expired',
|
||||
now + datetime.timedelta(days=1), None)
|
||||
|
||||
# Validation should clean up old tokens.
|
||||
auth.validate_this_token('je', 'moeder')
|
||||
|
||||
token_coll = self.app.data.driver.db['tokens']
|
||||
self.assertEqual({'short-expired', 'not-expired'},
|
||||
{item['token'] for item in token_coll.find()})
|
||||
self.assertEqual({tokdat_se['token_hashed'], tokdat_ne['token_hashed']},
|
||||
{item['token_hashed'] for item in token_coll.find()})
|
||||
|
||||
|
||||
class UserListTests(AbstractPillarTest):
|
||||
@@ -703,7 +710,6 @@ class UserCreationTest(AbstractPillarTest):
|
||||
|
||||
|
||||
class CurrentUserTest(AbstractPillarTest):
|
||||
|
||||
def test_current_user_logged_in(self):
|
||||
self.enter_app_context()
|
||||
|
||||
|
||||
@@ -42,6 +42,8 @@ class BlenderIdSubclientTest(AbstractPillarTest):
|
||||
|
||||
@responses.activate
|
||||
def test_store_multiple_tokens(self):
|
||||
from pillar.api.utils.authentication import hash_auth_token
|
||||
|
||||
scst1 = '%s-1' % TEST_SUBCLIENT_TOKEN
|
||||
scst2 = '%s-2' % TEST_SUBCLIENT_TOKEN
|
||||
db_user1 = self._common_user_test(201, scst=scst1)
|
||||
@@ -51,8 +53,10 @@ class BlenderIdSubclientTest(AbstractPillarTest):
|
||||
# Now there should be two tokens.
|
||||
with self.app.test_request_context():
|
||||
tokens = self.app.data.driver.db['tokens']
|
||||
self.assertIsNotNone(tokens.find_one({'user': db_user1['_id'], 'token': scst1}))
|
||||
self.assertIsNotNone(tokens.find_one({'user': db_user1['_id'], 'token': scst2}))
|
||||
self.assertIsNotNone(tokens.find_one(
|
||||
{'user': db_user1['_id'], 'token_hashed': hash_auth_token(scst1)}))
|
||||
self.assertIsNotNone(tokens.find_one(
|
||||
{'user': db_user1['_id'], 'token_hashed': hash_auth_token(scst2)}))
|
||||
|
||||
# There should still be only one auth element for blender-id in the user doc.
|
||||
self.assertEqual(1, len(db_user1['auth']))
|
||||
@@ -76,6 +80,8 @@ class BlenderIdSubclientTest(AbstractPillarTest):
|
||||
def _common_user_test(self, expected_status_code, scst=TEST_SUBCLIENT_TOKEN,
|
||||
expected_full_name=TEST_FULL_NAME,
|
||||
mock_happy_blender_id=True):
|
||||
from pillar.api.utils.authentication import hash_auth_token
|
||||
|
||||
if mock_happy_blender_id:
|
||||
self.mock_blenderid_validate_happy()
|
||||
|
||||
@@ -104,7 +110,7 @@ class BlenderIdSubclientTest(AbstractPillarTest):
|
||||
# Check that the token was succesfully stored.
|
||||
tokens = self.app.data.driver.db['tokens']
|
||||
db_token = tokens.find_one({'user': db_user['_id'],
|
||||
'token': scst})
|
||||
'token_hashed': hash_auth_token(scst)})
|
||||
self.assertIsNotNone(db_token)
|
||||
|
||||
return db_user
|
||||
|
||||
@@ -38,6 +38,8 @@ class LocalAuthTest(AbstractPillarTest):
|
||||
self.assertEqual(200, resp.status_code, resp.data)
|
||||
|
||||
def test_login_expired_token(self):
|
||||
from pillar.api.utils.authentication import hash_auth_token
|
||||
|
||||
user_id = self.create_test_user()
|
||||
|
||||
resp = self.client.post('/api/auth/make-token',
|
||||
@@ -52,7 +54,7 @@ class LocalAuthTest(AbstractPillarTest):
|
||||
tokens = self.app.data.driver.db['tokens']
|
||||
|
||||
exp = datetime.datetime.now(tz=tz_util.utc) - datetime.timedelta(1)
|
||||
result = tokens.update_one({'token': token},
|
||||
result = tokens.update_one({'token_hashed': hash_auth_token(token)},
|
||||
{'$set': {'expire_time': exp}})
|
||||
self.assertEqual(1, result.modified_count)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user