Authorisierung #22

Merged
weeman merged 1 commits from feature-auth into main 2021-06-28 18:12:30 +02:00
7 changed files with 82 additions and 74 deletions

View File

@ -1,3 +1,5 @@
--- ---
peter: peter:
password: geheim password: geheim
klaus:
password: jutta

View File

@ -81,4 +81,9 @@ def seed(dev: bool):
peter_fr = ProfileLanguage(profile=peters_profile, language_id="fr", level=3) peter_fr = ProfileLanguage(profile=peters_profile, language_id="fr", level=3)
db.session.add(peter_fr) db.session.add(peter_fr)
logging.info("seeding klaus :D")
klaus = User(auth_id="klaus")
db.session.add(klaus)
db.session.commit() db.session.commit()

View File

@ -124,10 +124,14 @@ def get_user_profile(user_id):
@app.route("/users/<user_id>/profile", methods=["POST"]) @app.route("/users/<user_id>/profile", methods=["POST"])
@token_auth @token_auth
def update_profile(user_id): def update_profile(user_id):
if g.user.id != int(user_id):
return make_response({}, 403)
Review

Ist das nicht mehr ein Fall für einen 400er? Die Berechtigungen sind ja da, der Request war aber "falsch" grübel

Ist das nicht mehr ein Fall für einen 400er? Die Berechtigungen sind ja da, der Request war aber "falsch" *grübel*
Review

¯\_(ツ)_/¯ kann man sich drüber unterhalten.

Die Berechtigung wäre "Ich darf dieses Profil bearbeiten". Das ist hier mM nicht gegeben. 400 wäre für mich eher so die Daten waren Gulasch. Z.B. für spätere Validierungen.

¯\\\_(ツ)_/¯ kann man sich drüber unterhalten. Die Berechtigung wäre "Ich darf dieses Profil bearbeiten". Das ist hier mM nicht gegeben. 400 wäre für mich eher so die Daten waren Gulasch. Z.B. für spätere Validierungen.
return update_profile_handler(int(user_id)) return update_profile_handler(int(user_id))
@app.route("/skills") @app.route("/skills")
@token_auth
def get_skills(): def get_skills():
return handle_completion_request(Skill, "skills") return handle_completion_request(Skill, "skills")
@ -139,6 +143,7 @@ def get_skill_icon(skill_id):
@app.route("/languages") @app.route("/languages")
@token_auth
def get_languages(): def get_languages():
return handle_completion_request(Language, "languages") return handle_completion_request(Language, "languages")

35
ki/test/ApiTest.py Normal file
View File

@ -0,0 +1,35 @@
from alembic import command
import json
import unittest
from app import app, db, migrate
from ki.actions import seed
class ApiTest(unittest.TestCase):
maxDiff = None
def setUp(self):
app.debug = True
app.config["TESTING"] = True
app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite:///:memory:"
self.client = app.test_client()
with app.app_context():
config = migrate.get_config()
command.upgrade(config, "head")
seed(True)
def tearDown(self):
db.drop_all()
db.engine.dispose()
def login(self, username, password):
login_data = {"username": username, "password": password}
login_response = self.client.post("/users/login", data=json.dumps(login_data), content_type="application/json")
self.assertEqual(login_response.status_code, 200)
self.assertIn("token", login_response.json)
return login_response.json

View File

@ -1,42 +1,25 @@
from alembic import command
import json import json
import unittest import unittest
from app import app, db, migrate from ki.test.ApiTest import ApiTest
from ki.actions import seed
class TestLoginEndpoint(unittest.TestCase): class TestLoginEndpoint(ApiTest):
def setUp(self):
app.debug = True
app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite:///:memory:"
self.client = app.test_client()
with app.app_context():
config = migrate.get_config()
command.upgrade(config, "head")
seed(True)
def tearDown(self):
db.drop_all()
db.engine.dispose()
def test_login(self): def test_login(self):
response1_data = self.login() response1_data = self.login("peter", "geheim")
response2_data = self.login() response2_data = self.login("peter", "geheim")
self.assertNotEqual(response1_data["token"], response2_data["token"]) self.assertNotEqual(response1_data["token"], response2_data["token"])
def login(self): def test_login_wrong_credentails(self):
response = self.client.post("/users/login", login_data = {"username": "peter", "password": "123456"}
data=json.dumps({ login_response = self.client.post("/users/login", data=json.dumps(login_data), content_type="application/json")
"username": "peter", self.assertEqual(login_response.status_code, 403)
"password": "geheim"
}), def test_login_unknown_user(self):
content_type="application/json") login_data = {"username": "karl", "password": "123456"}
self.assertEqual(response.status_code, 200) login_response = self.client.post("/users/login", data=json.dumps(login_data), content_type="application/json")
self.assertIn("token", response.json) self.assertEqual(login_response.status_code, 403)
return response.json
if __name__ == "main": if __name__ == "main":

View File

@ -1,38 +1,31 @@
from alembic import command
import unittest import unittest
import json import json
from app import app, db, migrate from app import app
from ki.actions import seed
from ki.models import User from ki.models import User
from ki.test.ApiTest import ApiTest
class TestProfileEndpoint(unittest.TestCase): class TestProfileEndpoint(ApiTest):
maxDiff = None maxDiff = None
def setUp(self): def test_update_profile_unauthorised(self):
app.debug = True login_data = {"username": "klaus", "password": "jutta"}
app.config["TESTING"] = True
app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite:///:memory:"
self.client = app.test_client()
with app.app_context():
config = migrate.get_config()
command.upgrade(config, "head")
seed(True)
def tearDown(self):
db.drop_all()
db.engine.dispose()
def test_update_profile(self):
login_data = {"username": "peter", "password": "geheim"}
login_response = self.client.post("/users/login", data=json.dumps(login_data), content_type="application/json") login_response = self.client.post("/users/login", data=json.dumps(login_data), content_type="application/json")
self.assertEqual(login_response.status_code, 200) self.assertEqual(login_response.status_code, 200)
self.assertIn("token", login_response.json) self.assertIn("token", login_response.json)
response = self.client.post("/users/1/profile",
data=json.dumps({}),
content_type="application/json",
headers={"Authorization": "Bearer " + login_response.json["token"]})
self.assertEqual(response.status_code, 403)
def test_update_profile(self):
token = self.login("peter", "geheim")["token"]
data = { data = {
"pronouns": "Monsieur", "pronouns": "Monsieur",
"volunteerwork": "ja", "volunteerwork": "ja",
@ -90,7 +83,7 @@ class TestProfileEndpoint(unittest.TestCase):
response = self.client.post("/users/1/profile", response = self.client.post("/users/1/profile",
data=json.dumps(data), data=json.dumps(data),
content_type="application/json", content_type="application/json",
headers={"Authorization": "Bearer " + login_response.json["token"]}) headers={"Authorization": "Bearer " + token})
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
with app.app_context(): with app.app_context():

View File

@ -1,26 +1,9 @@
from alembic import command
import unittest import unittest
from app import app, db, migrate from ki.test.ApiTest import ApiTest
from ki.actions import seed
class TestSkillsEndpoint(unittest.TestCase): class TestSkillsEndpoint(ApiTest):
def setUp(self):
app.debug = True
app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite:///:memory:"
self.client = app.test_client()
with app.app_context():
config = migrate.get_config()
command.upgrade(config, "head")
seed(True)
def tearDown(self):
db.drop_all()
db.engine.dispose()
def test_skills_options(self): def test_skills_options(self):
response = self.client.options("/skills") response = self.client.options("/skills")
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
@ -28,7 +11,9 @@ class TestSkillsEndpoint(unittest.TestCase):
self.assertEqual(response.headers["Access-Control-Allow-Origin"], "*") self.assertEqual(response.headers["Access-Control-Allow-Origin"], "*")
def test_get_skills1(self): def test_get_skills1(self):
response = self.client.get("/skills?search=p") token = self.login("peter", "geheim")["token"]
response = self.client.get("/skills?search=p", headers={"Authorization": "Bearer " + token})
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
self.assertEqual( self.assertEqual(
{ {