Changeset - 9c2fc1390291
Parent rev.
Child rev.
[Not reviewed]
default
0 2 0
Mads Kiilerich - 7 years ago 2019-01-04 03:42:17
mads@kiilerich.com
tests: prepare for adding CSRF protection on login forms

CSRF is about avoiding abuse of credentials by doing things in existing
sessions. The login form does not have any previous credentials, so there is
nothing to abuse and no real need for CSRF protection. But there is still an
unauth session, so we *can* have CSRF protection.

CSRF protection is currently in LoginRequired (which obviously isn't
applied to the login form), but let's prepare for changing that.
2 files changed with 52 insertions and 26 deletions:
kallithea/tests/base.py
2
1
kallithea/tests/functional/test_login.py
50
25
0 comments (0 inline, 0 general)
kallithea/tests/base.py
Show inline comments
 
@@ -151,13 +151,14 @@ class TestController(object):
 

			




	
	
	
		
 
    def log_user(self, username=TEST_USER_ADMIN_LOGIN,

			




	
	
	
		
 
                 password=TEST_USER_ADMIN_PASS):

			




	
	
	
		
 
        self._logged_username = username

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index'),

			




	
	
	
		
 
                                 {'username': username,

			




	
	
	
		
 
                                  'password': password})

			




	
	
	
		
 
                                  'password': password,

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        if 'Invalid username or password' in response.body:

			




	
	
	
		
 
            pytest.fail('could not login using %s %s' % (username, password))

			




	
	
	
		
 

			




	
	
	
		
 
        assert response.status == '302 Found'

			




	
	
	
		
 
        self.assert_authenticated_user(response, username)

			




        

    


    
    

    

        

                

                    kallithea/tests/functional/test_login.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -28,77 +28,84 @@ class TestLoginController(TestController

			




	
	
	
		
 
        assert response.status == '200 OK'

			




	
	
	
		
 
        # Test response...

			




	
	
	
		
 

			




	
	
	
		
 
    def test_login_admin_ok(self):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index'),

			




	
	
	
		
 
                                 {'username': TEST_USER_ADMIN_LOGIN,

			




	
	
	
		
 
                                  'password': TEST_USER_ADMIN_PASS})

			




	
	
	
		
 
                                  'password': TEST_USER_ADMIN_PASS,

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()})

			




	
	
	
		
 
        assert response.status == '302 Found'

			




	
	
	
		
 
        self.assert_authenticated_user(response, TEST_USER_ADMIN_LOGIN)

			




	
	
	
		
 

			




	
	
	
		
 
        response = response.follow()

			




	
	
	
		
 
        response.mustcontain('/%s' % HG_REPO)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_login_regular_ok(self):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index'),

			




	
	
	
		
 
                                 {'username': TEST_USER_REGULAR_LOGIN,

			




	
	
	
		
 
                                  'password': TEST_USER_REGULAR_PASS})

			




	
	
	
		
 
                                  'password': TEST_USER_REGULAR_PASS,

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        assert response.status == '302 Found'

			




	
	
	
		
 
        self.assert_authenticated_user(response, TEST_USER_REGULAR_LOGIN)

			




	
	
	
		
 

			




	
	
	
		
 
        response = response.follow()

			




	
	
	
		
 
        response.mustcontain('/%s' % HG_REPO)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_login_regular_email_ok(self):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index'),

			




	
	
	
		
 
                                 {'username': TEST_USER_REGULAR_EMAIL,

			




	
	
	
		
 
                                  'password': TEST_USER_REGULAR_PASS})

			




	
	
	
		
 
                                  'password': TEST_USER_REGULAR_PASS,

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        assert response.status == '302 Found'

			




	
	
	
		
 
        self.assert_authenticated_user(response, TEST_USER_REGULAR_LOGIN)

			




	
	
	
		
 

			




	
	
	
		
 
        response = response.follow()

			




	
	
	
		
 
        response.mustcontain('/%s' % HG_REPO)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_login_ok_came_from(self):

			




	
	
	
		
 
        test_came_from = '/_admin/users'

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index',

			




	
	
	
		
 
                                     came_from=test_came_from),

			




	
	
	
		
 
                                 {'username': TEST_USER_ADMIN_LOGIN,

			




	
	
	
		
 
                                  'password': TEST_USER_ADMIN_PASS})

			




	
	
	
		
 
                                  'password': TEST_USER_ADMIN_PASS,

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()})

			




	
	
	
		
 
        assert response.status == '302 Found'

			




	
	
	
		
 
        response = response.follow()

			




	
	
	
		
 

			




	
	
	
		
 
        assert response.status == '200 OK'

			




	
	
	
		
 
        response.mustcontain('Users Administration')

			




	
	
	
		
 

			




	
	
	
		
 
    def test_login_do_not_remember(self):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index'),

			




	
	
	
		
 
                                 {'username': TEST_USER_REGULAR_LOGIN,

			




	
	
	
		
 
                                  'password': TEST_USER_REGULAR_PASS,

			




	
	
	
		
 
                                  'remember': False})

			




	
	
	
		
 
                                  'remember': False,

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        assert 'Set-Cookie' in response.headers

			




	
	
	
		
 
        for cookie in response.headers.getall('Set-Cookie'):

			




	
	
	
		
 
            assert not re.search(r';\s+(Max-Age|Expires)=', cookie, re.IGNORECASE), 'Cookie %r has expiration date, but should be a session cookie' % cookie

			




	
	
	
		
 

			




	
	
	
		
 
    def test_login_remember(self):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index'),

			




	
	
	
		
 
                                 {'username': TEST_USER_REGULAR_LOGIN,

			




	
	
	
		
 
                                  'password': TEST_USER_REGULAR_PASS,

			




	
	
	
		
 
                                  'remember': True})

			




	
	
	
		
 
                                  'remember': True,

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        assert 'Set-Cookie' in response.headers

			




	
	
	
		
 
        for cookie in response.headers.getall('Set-Cookie'):

			




	
	
	
		
 
            assert re.search(r';\s+(Max-Age|Expires)=', cookie, re.IGNORECASE), 'Cookie %r should have expiration date, but is a session cookie' % cookie

			




	
	
	
		
 

			




	
	
	
		
 
    def test_logout(self):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index'),

			




	
	
	
		
 
                                 {'username': TEST_USER_REGULAR_LOGIN,

			




	
	
	
		
 
                                  'password': TEST_USER_REGULAR_PASS})

			




	
	
	
		
 
                                  'password': TEST_USER_REGULAR_PASS,

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        # Verify that a login session has been established.

			




	
	
	
		
 
        response = self.app.get(url(controller='login', action='index'))

			




	
	
	
		
 
        response = response.follow()

			




	
	
	
		
 
        assert 'authuser' in response.session

			




	
	
	
		
 

			




	
	
		
 
@@ -120,34 +127,38 @@ class TestLoginController(TestController

			




	
	
	
		
 
          ('non-absolute-path',),

			




	
	
	
		
 
    ])

			




	
	
	
		
 
    def test_login_bad_came_froms(self, url_came_from):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index',

			




	
	
	
		
 
                                     came_from=url_came_from),

			




	
	
	
		
 
                                 {'username': TEST_USER_ADMIN_LOGIN,

			




	
	
	
		
 
                                  'password': TEST_USER_ADMIN_PASS},

			




	
	
	
		
 
                                  'password': TEST_USER_ADMIN_PASS,

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()},

			




	
	
	
		
 
                                 status=400)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_login_short_password(self):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index'),

			




	
	
	
		
 
                                 {'username': TEST_USER_ADMIN_LOGIN,

			




	
	
	
		
 
                                  'password': 'as'})

			




	
	
	
		
 
                                  'password': 'as',

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()})

			




	
	
	
		
 
        assert response.status == '200 OK'

			




	
	
	
		
 

			




	
	
	
		
 
        response.mustcontain('Enter 3 characters or more')

			




	
	
	
		
 

			




	
	
	
		
 
    def test_login_wrong_username_password(self):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index'),

			




	
	
	
		
 
                                 {'username': 'error',

			




	
	
	
		
 
                                  'password': 'test12'})

			




	
	
	
		
 
                                  'password': 'test12',

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        response.mustcontain('Invalid username or password')

			




	
	
	
		
 

			




	
	
	
		
 
    def test_login_non_ascii(self):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index'),

			




	
	
	
		
 
                                 {'username': TEST_USER_REGULAR_LOGIN,

			




	
	
	
		
 
                                  'password': 'blåbærgrød'})

			




	
	
	
		
 
                                  'password': 'blåbærgrød',

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        response.mustcontain('>Invalid username or password<')

			




	
	
	
		
 

			




	
	
	
		
 
    # verify that get arguments are correctly passed along login redirection

			




	
	
	
		
 

			




	
	
	
		
 
    @parametrize('args,args_encoded', [

			




	
	
		
 
@@ -184,13 +195,14 @@ class TestLoginController(TestController

			




	
	
	
		
 
             ('blue=bl%C3%A5', 'green=gr%C3%B8n')),

			




	
	
	
		
 
    ])

			




	
	
	
		
 
    def test_redirection_after_successful_login_preserves_get_args(self, args, args_encoded):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index',

			




	
	
	
		
 
                                     came_from=url('/_admin/users', **args)),

			




	
	
	
		
 
                                 {'username': TEST_USER_ADMIN_LOGIN,

			




	
	
	
		
 
                                  'password': TEST_USER_ADMIN_PASS})

			




	
	
	
		
 
                                  'password': TEST_USER_ADMIN_PASS,

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()})

			




	
	
	
		
 
        assert response.status == '302 Found'

			




	
	
	
		
 
        for encoded in args_encoded:

			




	
	
	
		
 
            assert encoded in response.location

			




	
	
	
		
 

			




	
	
	
		
 
    @parametrize('args,args_encoded', [

			




	
	
	
		
 
        ({'foo':'one', 'bar':'two'}, ('foo=one', 'bar=two')),

			




	
	
		
 
@@ -198,13 +210,14 @@ class TestLoginController(TestController

			




	
	
	
		
 
             ('blue=bl%C3%A5', 'green=gr%C3%B8n')),

			




	
	
	
		
 
    ])

			




	
	
	
		
 
    def test_login_form_after_incorrect_login_preserves_get_args(self, args, args_encoded):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index',

			




	
	
	
		
 
                                     came_from=url('/_admin/users', **args)),

			




	
	
	
		
 
                                 {'username': 'error',

			




	
	
	
		
 
                                  'password': 'test12'})

			




	
	
	
		
 
                                  'password': 'test12',

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        response.mustcontain('Invalid username or password')

			




	
	
	
		
 
        came_from = urlparse.parse_qs(urlparse.urlparse(response.form.action).query)['came_from'][0]

			




	
	
	
		
 
        for encoded in args_encoded:

			




	
	
	
		
 
            assert encoded in came_from

			




	
	
	
		
 

			




	
	
		
 
@@ -220,13 +233,14 @@ class TestLoginController(TestController

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='register'),

			




	
	
	
		
 
                                            {'username': uname,

			




	
	
	
		
 
                                             'password': 'test12',

			




	
	
	
		
 
                                             'password_confirmation': 'test12',

			




	
	
	
		
 
                                             'email': 'goodmail@example.com',

			




	
	
	
		
 
                                             'firstname': 'test',

			




	
	
	
		
 
                                             'lastname': 'test'})

			




	
	
	
		
 
                                             'lastname': 'test',

			




	
	
	
		
 
                                             '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        with test_context(self.app):

			




	
	
	
		
 
            msg = validators.ValidUsername()._messages['username_exists']

			




	
	
	
		
 
        msg = h.html_escape(msg % {'username': uname})

			




	
	
	
		
 
        response.mustcontain(msg)

			




	
	
	
		
 

			




	
	
		
 
@@ -234,50 +248,54 @@ class TestLoginController(TestController

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='register'),

			




	
	
	
		
 
                                            {'username': 'test_admin_0',

			




	
	
	
		
 
                                             'password': 'test12',

			




	
	
	
		
 
                                             'password_confirmation': 'test12',

			




	
	
	
		
 
                                             'email': TEST_USER_ADMIN_EMAIL,

			




	
	
	
		
 
                                             'firstname': 'test',

			




	
	
	
		
 
                                             'lastname': 'test'})

			




	
	
	
		
 
                                             'lastname': 'test',

			




	
	
	
		
 
                                             '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        with test_context(self.app):

			




	
	
	
		
 
            msg = validators.UniqSystemEmail()()._messages['email_taken']

			




	
	
	
		
 
        response.mustcontain(msg)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_register_err_same_email_case_sensitive(self):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='register'),

			




	
	
	
		
 
                                            {'username': 'test_admin_1',

			




	
	
	
		
 
                                             'password': 'test12',

			




	
	
	
		
 
                                             'password_confirmation': 'test12',

			




	
	
	
		
 
                                             'email': TEST_USER_ADMIN_EMAIL.title(),

			




	
	
	
		
 
                                             'firstname': 'test',

			




	
	
	
		
 
                                             'lastname': 'test'})

			




	
	
	
		
 
                                             'lastname': 'test',

			




	
	
	
		
 
                                             '_authentication_token': self.authentication_token()})

			




	
	
	
		
 
        with test_context(self.app):

			




	
	
	
		
 
            msg = validators.UniqSystemEmail()()._messages['email_taken']

			




	
	
	
		
 
        response.mustcontain(msg)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_register_err_wrong_data(self):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='register'),

			




	
	
	
		
 
                                            {'username': 'xs',

			




	
	
	
		
 
                                             'password': 'test',

			




	
	
	
		
 
                                             'password_confirmation': 'test',

			




	
	
	
		
 
                                             'email': 'goodmailm',

			




	
	
	
		
 
                                             'firstname': 'test',

			




	
	
	
		
 
                                             'lastname': 'test'})

			




	
	
	
		
 
                                             'lastname': 'test',

			




	
	
	
		
 
                                             '_authentication_token': self.authentication_token()})

			




	
	
	
		
 
        assert response.status == '200 OK'

			




	
	
	
		
 
        response.mustcontain('An email address must contain a single @')

			




	
	
	
		
 
        response.mustcontain('Enter a value 6 characters long or more')

			




	
	
	
		
 

			




	
	
	
		
 
    def test_register_err_username(self):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='register'),

			




	
	
	
		
 
                                            {'username': 'error user',

			




	
	
	
		
 
                                             'password': 'test12',

			




	
	
	
		
 
                                             'password_confirmation': 'test12',

			




	
	
	
		
 
                                             'email': 'goodmailm',

			




	
	
	
		
 
                                             'firstname': 'test',

			




	
	
	
		
 
                                             'lastname': 'test'})

			




	
	
	
		
 
                                             'lastname': 'test',

			




	
	
	
		
 
                                             '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        response.mustcontain('An email address must contain a single @')

			




	
	
	
		
 
        response.mustcontain('Username may only contain '

			




	
	
	
		
 
                'alphanumeric characters underscores, '

			




	
	
	
		
 
                'periods or dashes and must begin with an '

			




	
	
	
		
 
                'alphanumeric character')

			




	
	
		
 
@@ -287,13 +305,14 @@ class TestLoginController(TestController

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='register'),

			




	
	
	
		
 
                                            {'username': usr,

			




	
	
	
		
 
                                             'password': 'test12',

			




	
	
	
		
 
                                             'password_confirmation': 'test12',

			




	
	
	
		
 
                                             'email': 'goodmailm',

			




	
	
	
		
 
                                             'firstname': 'test',

			




	
	
	
		
 
                                             'lastname': 'test'})

			




	
	
	
		
 
                                             'lastname': 'test',

			




	
	
	
		
 
                                             '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        response.mustcontain('An email address must contain a single @')

			




	
	
	
		
 
        with test_context(self.app):

			




	
	
	
		
 
            msg = validators.ValidUsername()._messages['username_exists']

			




	
	
	
		
 
        msg = h.html_escape(msg % {'username': usr})

			




	
	
	
		
 
        response.mustcontain(msg)

			




	
	
		
 
@@ -302,26 +321,28 @@ class TestLoginController(TestController

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='register'),

			




	
	
	
		
 
                                        {'username': 'xxxaxn',

			




	
	
	
		
 
                                         'password': 'ąćźżąśśśś',

			




	
	
	
		
 
                                         'password_confirmation': 'ąćźżąśśśś',

			




	
	
	
		
 
                                         'email': 'goodmailm@test.plx',

			




	
	
	
		
 
                                         'firstname': 'test',

			




	
	
	
		
 
                                         'lastname': 'test'})

			




	
	
	
		
 
                                         'lastname': 'test',

			




	
	
	
		
 
                                         '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        with test_context(self.app):

			




	
	
	
		
 
            msg = validators.ValidPassword()._messages['invalid_password']

			




	
	
	
		
 
        response.mustcontain(msg)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_register_password_mismatch(self):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='register'),

			




	
	
	
		
 
                                            {'username': 'xs',

			




	
	
	
		
 
                                             'password': '123qwe',

			




	
	
	
		
 
                                             'password_confirmation': 'qwe123',

			




	
	
	
		
 
                                             'email': 'goodmailm@test.plxa',

			




	
	
	
		
 
                                             'firstname': 'test',

			




	
	
	
		
 
                                             'lastname': 'test'})

			




	
	
	
		
 
                                             'lastname': 'test',

			




	
	
	
		
 
                                             '_authentication_token': self.authentication_token()})

			




	
	
	
		
 
        with test_context(self.app):

			




	
	
	
		
 
            msg = validators.ValidPasswordsMatch('password', 'password_confirmation')._messages['password_mismatch']

			




	
	
	
		
 
        response.mustcontain(msg)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_register_ok(self):

			




	
	
	
		
 
        username = 'test_regular4'

			




	
	
		
 
@@ -334,13 +355,14 @@ class TestLoginController(TestController

			




	
	
	
		
 
                                            {'username': username,

			




	
	
	
		
 
                                             'password': password,

			




	
	
	
		
 
                                             'password_confirmation': password,

			




	
	
	
		
 
                                             'email': email,

			




	
	
	
		
 
                                             'firstname': name,

			




	
	
	
		
 
                                             'lastname': lastname,

			




	
	
	
		
 
                                             'admin': True})  # This should be overridden

			




	
	
	
		
 
                                             'admin': True,

			




	
	
	
		
 
                                             '_authentication_token': self.authentication_token()})  # This should be overridden

			




	
	
	
		
 
        assert response.status == '302 Found'

			




	
	
	
		
 
        self.checkSessionFlash(response, 'You have successfully registered with Kallithea')

			




	
	
	
		
 

			




	
	
	
		
 
        ret = Session().query(User).filter(User.username == 'test_regular4').one()

			




	
	
	
		
 
        assert ret.username == username

			




	
	
	
		
 
        assert check_password(password, ret.password) == True

			




	
	
		
 
@@ -355,14 +377,14 @@ class TestLoginController(TestController

			




	
	
	
		
 
    #==========================================================================

			




	
	
	
		
 

			




	
	
	
		
 
    def test_forgot_password_wrong_mail(self):

			




	
	
	
		
 
        bad_email = 'username%wrongmail.org'

			




	
	
	
		
 
        response = self.app.post(

			




	
	
	
		
 
                        url(controller='login', action='password_reset'),

			




	
	
	
		
 
                            {'email': bad_email, }

			




	
	
	
		
 
        )

			




	
	
	
		
 
                            {'email': bad_email,

			




	
	
	
		
 
                             '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        response.mustcontain('An email address must contain a single @')

			




	
	
	
		
 

			




	
	
	
		
 
    def test_forgot_password(self):

			




	
	
	
		
 
        response = self.app.get(url(controller='login',

			




	
	
	
		
 
                                    action='password_reset'))

			




	
	
		
 
@@ -384,13 +406,14 @@ class TestLoginController(TestController

			




	
	
	
		
 
        new.api_key = generate_api_key()

			




	
	
	
		
 
        Session().add(new)

			




	
	
	
		
 
        Session().commit()

			




	
	
	
		
 

			




	
	
	
		
 
        response = self.app.post(url(controller='login',

			




	
	
	
		
 
                                     action='password_reset'),

			




	
	
	
		
 
                                 {'email': email, })

			




	
	
	
		
 
                                 {'email': email,

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token()})

			




	
	
	
		
 

			




	
	
	
		
 
        self.checkSessionFlash(response, 'A password reset confirmation code has been sent')

			




	
	
	
		
 

			




	
	
	
		
 
        response = response.follow()

			




	
	
	
		
 

			




	
	
	
		
 
        # BAD TOKEN

			




	
	
		
 
@@ -401,12 +424,13 @@ class TestLoginController(TestController

			




	
	
	
		
 
                                     action='password_reset_confirmation'),

			




	
	
	
		
 
                                 {'email': email,

			




	
	
	
		
 
                                  'timestamp': timestamp,

			




	
	
	
		
 
                                  'password': "p@ssw0rd",

			




	
	
	
		
 
                                  'password_confirm': "p@ssw0rd",

			




	
	
	
		
 
                                  'token': token,

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token(),

			




	
	
	
		
 
                                 })

			




	
	
	
		
 
        assert response.status == '200 OK'

			




	
	
	
		
 
        response.mustcontain('Invalid password reset token')

			




	
	
	
		
 

			




	
	
	
		
 
        # GOOD TOKEN

			




	
	
	
		
 

			




	
	
		
 
@@ -428,12 +452,13 @@ class TestLoginController(TestController

			




	
	
	
		
 
                                     action='password_reset_confirmation'),

			




	
	
	
		
 
                                 {'email': email,

			




	
	
	
		
 
                                  'timestamp': timestamp,

			




	
	
	
		
 
                                  'password': "p@ssw0rd",

			




	
	
	
		
 
                                  'password_confirm': "p@ssw0rd",

			




	
	
	
		
 
                                  'token': token,

			




	
	
	
		
 
                                  '_authentication_token': self.authentication_token(),

			




	
	
	
		
 
                                 })

			




	
	
	
		
 
        assert response.status == '302 Found'

			




	
	
	
		
 
        self.checkSessionFlash(response, 'Successfully updated password')

			




	
	
	
		
 

			




	
	
	
		
 
        response = response.follow()

			




	
	
	
		
 

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.