1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
|
"""
test_change_username
~~~~~~~~~~~~~~~~~~~~
Change username tests
:copyright: (c) 2025-2025 by J. Christopher Wagner (jwag).
:license: MIT, see LICENSE for more details.
"""
import pytest
from flask import Flask
import markupsafe
from flask_security import UsernameUtil, UserMixin, username_changed
from flask_security.forms import _default_field_labels
from flask_security.utils import localize_callback
from tests.test_utils import (
authenticate,
check_location,
check_xlation,
get_form_input_value,
init_app_with_options,
is_authenticated,
logout,
)
pytestmark = pytest.mark.change_username()
@pytest.mark.settings(
post_change_username_view="/post_change_username", username_enable=True
)
def test_cu(app, clients, get_message):
recorded = []
@username_changed.connect_via(app)
def on_username_changed(app, user, old_username):
assert isinstance(app, Flask)
assert isinstance(user, UserMixin)
recorded.append((user, old_username))
authenticate(clients)
# Test change view
response = clients.get("/change-username", follow_redirects=True)
assert b"Change Username" in response.data
# test length validation
response = clients.post(
"/change-username",
data={"username": "me"},
follow_redirects=True,
)
assert get_message("USERNAME_INVALID_LENGTH", min=4, max=32) in response.data
# Test successful submit sends email notification
response = clients.post(
"/change-username",
data={"username": "memynewusername"},
follow_redirects=True,
)
outbox = app.mail.outbox
assert get_message("USERNAME_CHANGE") in response.data
assert b"Post Change Username" in response.data
assert len(recorded) == 1
assert len(outbox) == 1
assert "Your username has been changed" in outbox[0].body
response = clients.get("/change-username", follow_redirects=True)
assert b"memynewusername" in response.data
# authenticate with new username
logout(clients)
clients.post("/login", data=dict(username="memynewusername", password="password"))
assert is_authenticated(clients, get_message)
# Test same as previous
response = clients.post(
"/change-username",
data={"username": "memynewusername"},
follow_redirects=True,
)
assert (
get_message("USERNAME_ALREADY_ASSOCIATED", username="memynewusername")
in response.data
)
# since username isn't required - change it to nothing
response = clients.post(
"/change-username",
data={"username": ""},
follow_redirects=True,
)
outbox = app.mail.outbox
assert get_message("USERNAME_CHANGE") in response.data
assert b"Post Change Username" in response.data
assert len(recorded) == 2
assert len(outbox) == 2
assert "Your username has been changed" in outbox[1].body
# shouldn't be able to log in with username
logout(clients)
clients.post("/login", data=dict(username="memynewusername", password="password"))
assert not is_authenticated(clients, get_message)
@pytest.mark.settings(
post_change_username_view="/post_change_username", username_enable=True
)
def test_cu_json(app, clients, get_message):
# Test JSON
recorded = []
@username_changed.connect_via(app)
def on_username_changed(app, user, old_username):
recorded.append((user, old_username))
response = clients.get("/change-username", content_type="application/json")
assert response.status_code == 401
authenticate(clients)
response = clients.get("/change-username", content_type="application/json")
assert response.json["response"]["current_username"] == "matt"
response = clients.post("/change-username", json={"username": "memyjsonusername"})
assert response.status_code == 200
assert response.headers["Content-Type"] == "application/json"
assert len(recorded) == 1
user, old = recorded[0]
assert old == "matt"
# Test JSON errors
response = clients.post("/change-username", json={"username": "my"})
assert response.status_code == 400
assert response.json["response"]["field_errors"]["username"] == [
"Username must be at least 4 characters and less than 32 characters"
]
# authenticate with old username
logout(clients)
clients.post("/login", json=dict(username="matt", password="password"))
assert not is_authenticated(clients, get_message)
# authenticate with new username
logout(clients)
clients.post("/login", json=dict(username="memyjsonusername", password="password"))
assert is_authenticated(clients, get_message)
@pytest.mark.settings(username_enable=True, username_required=True)
def test_cu_required(app, client, get_message):
client.post("/login", json=dict(username="matt", password="password"))
response = client.post("/change-username", json={"username": ""})
assert (
get_message("USERNAME_NOT_PROVIDED")
== response.json["response"]["field_errors"]["username"][0].encode()
)
@pytest.mark.app_settings(babel_default_locale="fr_FR")
@pytest.mark.babel()
def test_xlation(app, client, get_message_local):
pytest.skip()
# Test form and email translation
assert check_xlation(app, "fr_FR"), "You must run python setup.py compile_catalog"
authenticate(client)
response = client.get("/change", follow_redirects=True)
with app.test_request_context():
# Check header
assert (
f'<h1>{localize_callback("Change password")}</h1>'.encode() in response.data
)
submit = localize_callback(_default_field_labels["change_password"])
assert f'value="{submit}"'.encode() in response.data
response = client.post(
"/change",
data={
"password": "password",
"new_password": "new strong password",
"new_password_confirm": "new strong password",
},
follow_redirects=True,
)
outbox = app.mail.outbox
with app.test_request_context():
assert get_message_local("PASSWORD_CHANGE").encode("utf-8") in response.data
assert b"Home Page" in response.data
assert len(outbox) == 1
assert (
localize_callback(
app.config["SECURITY_EMAIL_SUBJECT_PASSWORD_CHANGE_NOTICE"]
)
in outbox[0].subject
)
assert (
str(markupsafe.escape(localize_callback("Your password has been changed.")))
in outbox[0].alternatives[0][0]
)
assert localize_callback("Your password has been changed") in outbox[0].body
@pytest.mark.settings(change_username_url="/custom-change-username")
def test_custom_change_url(client):
authenticate(client)
response = client.get("/custom-change-username")
assert response.status_code == 200
assert b"Change Username" in response.data
@pytest.mark.settings(change_username_template="custom_security/change_username.html")
def test_custom_change_template(client):
authenticate(client)
response = client.get("/change-username")
assert b"CUSTOM CHANGE USERNAME" in response.data
@pytest.mark.settings(send_username_change_email=False)
def test_disable_change_emails(app, client):
authenticate(client)
response = client.post(
"/change-username",
json={"username": "mynewusername"},
follow_redirects=True,
)
assert response.status_code == 200
assert not app.mail.outbox
@pytest.mark.settings(post_change_username_view="/profile")
def test_custom_post_change_view(client):
authenticate(client)
response = client.post(
"/change-username",
data={"username": "mynewusername"},
follow_redirects=True,
)
assert b"Profile Page" in response.data
def test_my_validator(app, sqlalchemy_datastore):
class MyUsernameUtil(UsernameUtil):
def check_username(self, username):
if username == "nowayjose":
return "Are you crazy?"
init_app_with_options(
app,
sqlalchemy_datastore,
**{"security_args": {"username_util_cls": MyUsernameUtil}},
)
tcl = app.test_client()
authenticate(tcl)
response = tcl.post("/change-username", json=dict(username="nowayjose"))
assert response.status_code == 400
assert "Are you crazy" in response.json["response"]["errors"][0]
@pytest.mark.settings(username_enable=True)
def test_username_normalize(app, client):
"""Verify that can log in with both original and normalized username"""
authenticate(client)
response = client.post(
"/change-username", json=dict(username="newusername\N{ROMAN NUMERAL ONE}")
)
assert response.status_code == 200
logout(client)
# use original typed-in username
response = client.post(
"/login",
json=dict(username="newusername\N{ROMAN NUMERAL ONE}", password="password"),
)
assert response.status_code == 200
logout(client)
# try with normalized username
response = client.post(
"/login",
json=dict(
username="newusername\N{LATIN CAPITAL LETTER I}",
password="password",
),
)
assert response.status_code == 200
@pytest.mark.settings(username_normalize_form=None, username_enable=True)
def test_username_no_normalize(app, client):
"""Verify that can log in with original but not normalized if have
disabled normalization
"""
authenticate(client)
response = client.post(
"/change-username", json=dict(username="newusername\N{ROMAN NUMERAL ONE}")
)
assert response.status_code == 200
logout(client)
# try with normalized password - should fail
response = client.post(
"/login",
json=dict(
username="newusername\N{LATIN CAPITAL LETTER I}", password="password"
),
)
assert response.status_code == 400
# use original typed-in username
response = client.post(
"/login",
json=dict(username="newusername\N{ROMAN NUMERAL ONE}", password="password"),
)
assert response.status_code == 200
@pytest.mark.csrf(ignore_unauth=True)
@pytest.mark.settings(post_change_username_view="/post_change_username_view")
def test_csrf(app, client):
# enable CSRF, make sure template shows CSRF errors.
authenticate(client)
data = {
"username": "mynewusername",
}
response = client.post("/change-username", data=data)
assert b"The CSRF token is missing" in response.data
# Note that we get a CSRF token EVEN for errors - this seems odd
# but can't find anything that says its a security issue
csrf_token = get_form_input_value(response, "csrf_token")
data["csrf_token"] = csrf_token
response = client.post("/change-username", data=data)
assert check_location(app, response.location, "/post_change_username_view")
@pytest.mark.csrf(ignore_unauth=True, csrfprotect=True)
def test_csrf_json(app, client):
# This tests the handle_csrf code path - especially the JSON code path
# that should return a JSON response!
authenticate(client)
response = client.post("/change-username", json=dict(username="mynewusername"))
assert response.status_code == 400
assert response.json["response"]["errors"][0] == "The CSRF token is missing."
response = client.get("/change-username", content_type="application/json")
csrf_token = response.json["response"]["csrf_token"]
response = client.post(
"/change-username",
json=dict(username="mynewusername"),
headers={"X-CSRF-Token": csrf_token},
)
assert response.status_code == 200
|
