Improve password handling in tests.

Run tests with a password set, which is more realistic. Add tests for a password not set or unusable.
aaugustin · Jun 6, 2020 · 9187013 · 9187013
1 parent 8a4ee62
commit 9187013
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 2 deletions.
diff --git a/tests/mixins.py b/tests/mixins.py
@@ -13,12 +13,16 @@ def setUp(self):
         super().setUp()
         self.user = self.create_user()
 
-    def create_user(self, username="john", **kwargs):
-        return get_user_model().objects.create(
+    def create_user(self, username="john", password="letmein", **kwargs):
+        User = get_user_model()
+        user = User(
             username=username,
             last_login=timezone.now() - datetime.timedelta(seconds=3600),
             **kwargs,
         )
+        user.set_password(password)
+        user.save()
+        return user
 
     @staticmethod
     def get_user(user_id):

diff --git a/tests/test_tokens_v1.py b/tests/test_tokens_v1.py
@@ -113,6 +113,16 @@ def test_one_time_token_invalidation_when_last_login_date_changes(self):
 
     # Test token invalidation on password change
 
+    def test_valid_token_when_user_has_no_password(self):
+        self.user.password = ""
+        self.user.save()
+        self.test_valid_token()
+
+    def test_valid_token_when_user_has_unusable_password(self):
+        self.user.set_unusable_password()
+        self.user.save()
+        self.test_valid_token()
+
     def test_invalid_token_after_password_change(self):
         token = create_token(self.user)
         self.user.set_password("hunter2")
@@ -151,6 +161,7 @@ def test_custom_packer_change(self):
 
     # Miscellaneous tests
 
+    @override_settings(SESAME_INVALIDATE_ON_PASSWORD_CHANGE=False)
     def test_naive_token_hijacking_fails(self):
         # The revocation key may be identical for two users:
         # - if SESAME_INVALIDATE_ON_PASSWORD_CHANGE is False or if they don't

diff --git a/tests/test_tokens_v2.py b/tests/test_tokens_v2.py
@@ -151,6 +151,16 @@ def test_one_time_token_invalidation_when_last_login_date_changes(self):
 
     # Test token invalidation on password change
 
+    def test_valid_token_when_user_has_no_password(self):
+        self.user.password = ""
+        self.user.save()
+        self.test_valid_token()
+
+    def test_valid_token_when_user_has_unusable_password(self):
+        self.user.set_unusable_password()
+        self.user.save()
+        self.test_valid_token()
+
     def test_invalid_token_after_password_change(self):
         token = create_token(self.user)
         self.user.set_password("hunter2")
@@ -262,6 +272,7 @@ def test_packer_confusion(self):
         self.assertEqual(user, None)
         self.assertLogsContain("Invalid token for user john")
 
+    @override_settings(SESAME_INVALIDATE_ON_PASSWORD_CHANGE=False)
     def test_naive_token_hijacking_fails(self):
         # The revocation key may be identical for two users:
         # - if SESAME_INVALIDATE_ON_PASSWORD_CHANGE is False or if they don't