1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
|
import datetime
from django.contrib.auth import get_user_model
from django.urls import reverse
from django.utils import timezone
from oauth2_provider.models import get_access_token_model, get_application_model
from .common_testing import OAuth2ProviderTestCase as TestCase
Application = get_application_model()
AccessToken = get_access_token_model()
UserModel = get_user_model()
class TestAuthorizedTokenViews(TestCase):
"""
TestCase superclass for Authorized Token Views" Test Cases
"""
@classmethod
def setUpTestData(cls):
cls.foo_user = UserModel.objects.create_user("foo_user", "test@example.com", "123456")
cls.bar_user = UserModel.objects.create_user("bar_user", "dev@example.com", "123456")
cls.application = Application.objects.create(
name="Test Application",
redirect_uris="http://localhost http://example.com http://example.org",
user=cls.bar_user,
client_type=Application.CLIENT_CONFIDENTIAL,
authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
)
class TestAuthorizedTokenListView(TestAuthorizedTokenViews):
"""
Tests for the Authorized Token ListView
"""
def test_list_view_authorization_required(self):
"""
Test that the view redirects to login page if user is not logged-in.
"""
response = self.client.get(reverse("oauth2_provider:authorized-token-list"))
self.assertEqual(response.status_code, 302)
self.assertTrue("/accounts/login/?next=" in response["Location"])
def test_empty_list_view(self):
"""
Test that when you have no tokens, an appropriate message is shown
"""
self.client.login(username="foo_user", password="123456")
response = self.client.get(reverse("oauth2_provider:authorized-token-list"))
self.assertEqual(response.status_code, 200)
self.assertIn(b"There are no authorized tokens yet.", response.content)
def test_list_view_one_token(self):
"""
Test that the view shows your token
"""
self.client.login(username="bar_user", password="123456")
AccessToken.objects.create(
user=self.bar_user,
token="1234567890",
application=self.application,
expires=timezone.now() + datetime.timedelta(days=1),
scope="read write",
)
response = self.client.get(reverse("oauth2_provider:authorized-token-list"))
self.assertEqual(response.status_code, 200)
self.assertIn(b"read", response.content)
self.assertIn(b"write", response.content)
self.assertNotIn(b"There are no authorized tokens yet.", response.content)
def test_list_view_two_tokens(self):
"""
Test that the view shows your tokens
"""
self.client.login(username="bar_user", password="123456")
AccessToken.objects.create(
user=self.bar_user,
token="1234567890",
application=self.application,
expires=timezone.now() + datetime.timedelta(days=1),
scope="read write",
)
AccessToken.objects.create(
user=self.bar_user,
token="0123456789",
application=self.application,
expires=timezone.now() + datetime.timedelta(days=1),
scope="read write",
)
response = self.client.get(reverse("oauth2_provider:authorized-token-list"))
self.assertEqual(response.status_code, 200)
self.assertNotIn(b"There are no authorized tokens yet.", response.content)
def test_list_view_shows_correct_user_token(self):
"""
Test that only currently logged-in user"s tokens are shown
"""
self.client.login(username="bar_user", password="123456")
AccessToken.objects.create(
user=self.foo_user,
token="1234567890",
application=self.application,
expires=timezone.now() + datetime.timedelta(days=1),
scope="read write",
)
response = self.client.get(reverse("oauth2_provider:authorized-token-list"))
self.assertEqual(response.status_code, 200)
self.assertIn(b"There are no authorized tokens yet.", response.content)
class TestAuthorizedTokenDeleteView(TestAuthorizedTokenViews):
"""
Tests for the Authorized Token DeleteView
"""
def test_delete_view_authorization_required(self):
"""
Test that the view redirects to login page if user is not logged-in.
"""
self.token = AccessToken.objects.create(
user=self.foo_user,
token="1234567890",
application=self.application,
expires=timezone.now() + datetime.timedelta(days=1),
scope="read write",
)
url = reverse("oauth2_provider:authorized-token-delete", kwargs={"pk": self.token.pk})
response = self.client.get(url)
self.assertEqual(response.status_code, 302)
self.assertTrue("/accounts/login/?next=" in response["Location"])
def test_delete_view_works(self):
"""
Test that a GET on this view returns 200 if the token belongs to the logged-in user.
"""
self.token = AccessToken.objects.create(
user=self.foo_user,
token="1234567890",
application=self.application,
expires=timezone.now() + datetime.timedelta(days=1),
scope="read write",
)
self.client.login(username="foo_user", password="123456")
url = reverse("oauth2_provider:authorized-token-delete", kwargs={"pk": self.token.pk})
response = self.client.get(url)
self.assertEqual(response.status_code, 200)
def test_delete_view_token_belongs_to_user(self):
"""
Test that a 404 is returned when trying to GET this view with someone else"s tokens.
"""
self.token = AccessToken.objects.create(
user=self.foo_user,
token="1234567890",
application=self.application,
expires=timezone.now() + datetime.timedelta(days=1),
scope="read write",
)
self.client.login(username="bar_user", password="123456")
url = reverse("oauth2_provider:authorized-token-delete", kwargs={"pk": self.token.pk})
response = self.client.get(url)
self.assertEqual(response.status_code, 404)
def test_delete_view_post_actually_deletes(self):
"""
Test that a POST on this view works if the token belongs to the logged-in user.
"""
self.token = AccessToken.objects.create(
user=self.foo_user,
token="1234567890",
application=self.application,
expires=timezone.now() + datetime.timedelta(days=1),
scope="read write",
)
self.client.login(username="foo_user", password="123456")
url = reverse("oauth2_provider:authorized-token-delete", kwargs={"pk": self.token.pk})
response = self.client.post(url)
self.assertFalse(AccessToken.objects.exists())
self.assertRedirects(response, reverse("oauth2_provider:authorized-token-list"))
def test_delete_view_only_deletes_user_own_token(self):
"""
Test that a 404 is returned when trying to POST on this view with someone else"s tokens.
"""
self.token = AccessToken.objects.create(
user=self.foo_user,
token="1234567890",
application=self.application,
expires=timezone.now() + datetime.timedelta(days=1),
scope="read write",
)
self.client.login(username="bar_user", password="123456")
url = reverse("oauth2_provider:authorized-token-delete", kwargs={"pk": self.token.pk})
response = self.client.post(url)
self.assertTrue(AccessToken.objects.exists())
self.assertEqual(response.status_code, 404)
|
