bellingcat/auto-archiver-api
1
0
Fork 0
mirror of https://github.com/bellingcat/auto-archiver-api.git synced 2026-06-08 03:28:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

missing tests for security

Browse Source
This commit is contained in:
msramalho
2024-11-05 11:41:07 +00:00
parent 46a3cbc003
commit 2209b09a9a
2 changed files with 25 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/tests/web/test_security.py
View File

@@ -36,8 +36,26 @@ async def test_get_token_or_user_auth_with_user():
@pytest.mark.asyncio
async def test_get_user_auth(m1):
from web.security import get_user_auth
bad_user = HTTPAuthorizationCredentials(scheme="ipsum", credentials="valid-and-good")
assert await get_user_auth(bad_user) == "summer@example.com"
good_user = HTTPAuthorizationCredentials(scheme="ipsum", credentials="valid-and-good")
assert await get_user_auth(good_user) == "summer@example.com"
@patch("web.security.authenticate_user", return_value=(True, "summer@example.com"))
@pytest.mark.asyncio
async def test_get_active_user_auth_inactive(m1, db_session):
from web.security import get_active_user_auth
# inactive at first
creds = HTTPAuthorizationCredentials(scheme="ipsum", credentials="valid-and-good")
with pytest.raises(HTTPException):
await get_active_user_auth(creds)
from db import models
db_session.add(models.User(email="summer@example.com", is_active=True))
db_session.commit()
assert await get_active_user_auth(creds) == "summer@example.com"
@patch("web.security.secure_compare", return_value=False)

13
src/web/security.py
View File

@@ -58,14 +58,11 @@ async def get_user_auth(credentials: HTTPAuthorizationCredentials = Depends(bear
async def get_active_user_auth(credentials: HTTPAuthorizationCredentials = Depends(bearer_security)):
# validates Bearer token and Active User status
try:
email = await get_user_auth(credentials)
with get_db() as db:
if crud.is_active_user(db, email):
return email
raise HTTPException(status_code=403, detail="User is not active")
except HTTPException as e:
raise e
email = await get_user_auth(credentials)
with get_db() as db:
if crud.is_active_user(db, email):
return email
raise HTTPException(status_code=403, detail="User is not active")
def authenticate_user(access_token):