diff --git a/dj_rest_auth/tests/test_api.py b/dj_rest_auth/tests/test_api.py index a8c2048..c9141d9 100644 --- a/dj_rest_auth/tests/test_api.py +++ b/dj_rest_auth/tests/test_api.py @@ -671,6 +671,47 @@ class APIBasicTests(TestsMixin, TestCase): self.assertEquals(resp.status_code, 200) + @override_settings(REST_USE_JWT=True) + @override_settings(JWT_AUTH_COOKIE='jwt-auth') + @override_settings(JWT_AUTH_COOKIE_USE_CSRF=False) + @override_settings(JWT_AUTH_COOKIE_ENFORCE_CSRF_ON_UNAUTHENTICATED=False) + @override_settings(REST_FRAMEWORK=dict( + DEFAULT_AUTHENTICATION_CLASSES=[ + 'dj_rest_auth.jwt_auth.JWTCookieAuthentication' + ] + )) + @override_settings(REST_SESSION_LOGIN=False) + @override_settings(CSRF_COOKIE_SECURE =True) + @override_settings(CSRF_COOKIE_HTTPONLY =True) + def test_wo_csrf_enforcement(self): + from .mixins import APIClient + payload = { + "username": self.USERNAME, + "password": self.PASS + } + client = APIClient(enforce_csrf_checks=True) + get_user_model().objects.create_user(self.USERNAME, '', self.PASS) + + resp = client.post(self.login_url, payload) + self.assertTrue('jwt-auth' in list(client.cookies.keys())) + self.assertEquals(resp.status_code, 200) + + ## TEST WITH JWT AUTH HEADER + jwtclient = APIClient(enforce_csrf_checks=True) + token = resp.data['access_token'] + resp = jwtclient.get('/protected-view/', HTTP_AUTHORIZATION='Bearer '+token) + self.assertEquals(resp.status_code, 200) + resp = jwtclient.post('/protected-view/', {}, HTTP_AUTHORIZATION='Bearer '+token) + self.assertEquals(resp.status_code, 200) + + ## TEST WITH COOKIES + resp = client.get('/protected-view/') + self.assertEquals(resp.status_code, 200) + + resp = client.post('/protected-view/', {}) + self.assertEquals(resp.status_code, 200) + + @override_settings(REST_USE_JWT=True) @override_settings(JWT_AUTH_COOKIE='jwt-auth') @override_settings(JWT_AUTH_COOKIE_USE_CSRF=True) @@ -713,6 +754,8 @@ class APIBasicTests(TestsMixin, TestCase): self.assertEquals(resp.status_code, 200) ## TEST WITH COOKIES + resp = client.get('/protected-view/') + self.assertEquals(resp.status_code, 200) #fail w/o csrftoken in payload resp = client.post('/protected-view/', {}) self.assertEquals(resp.status_code, 403) @@ -759,6 +802,56 @@ class APIBasicTests(TestsMixin, TestCase): ## TEST WITH JWT AUTH HEADER does not make sense ## TEST WITH COOKIES + resp = client.get('/protected-view/') + self.assertEquals(resp.status_code, 200) + #fail w/o csrftoken in payload + resp = client.post('/protected-view/', {}) + self.assertEquals(resp.status_code, 403) + + csrfparam = {"csrfmiddlewaretoken": csrftoken} + resp = client.post('/protected-view/', csrfparam) + self.assertEquals(resp.status_code, 200) + + + @override_settings(REST_USE_JWT=True) + @override_settings(JWT_AUTH_COOKIE='jwt-auth') + @override_settings(JWT_AUTH_COOKIE_USE_CSRF=False) + @override_settings(JWT_AUTH_COOKIE_ENFORCE_CSRF_ON_UNAUTHENTICATED=True) #True at your own risk + @override_settings(REST_FRAMEWORK=dict( + DEFAULT_AUTHENTICATION_CLASSES=[ + 'dj_rest_auth.jwt_auth.JWTCookieAuthentication' + ] + )) + @override_settings(REST_SESSION_LOGIN=False) + @override_settings(CSRF_COOKIE_SECURE =True) + @override_settings(CSRF_COOKIE_HTTPONLY =True) + def test_csrf_w_login_csrf_enforcement_2(self): + from .mixins import APIClient + payload = { + "username": self.USERNAME, + "password": self.PASS + } + client = APIClient(enforce_csrf_checks=True) + get_user_model().objects.create_user(self.USERNAME, '', self.PASS) + + response = client.get(reverse("getcsrf")) + csrftoken = client.cookies['csrftoken'].value + + #fail w/o csrftoken in payload + resp = client.post(self.login_url, payload) + self.assertEquals(resp.status_code, 403) + + payload['csrfmiddlewaretoken'] = csrftoken + resp = client.post(self.login_url, payload) + self.assertTrue('jwt-auth' in list(client.cookies.keys())) + self.assertTrue('csrftoken' in list(client.cookies.keys())) + self.assertEquals(resp.status_code, 200) + + ## TEST WITH JWT AUTH HEADER does not make sense + + ## TEST WITH COOKIES + resp = client.get('/protected-view/') + self.assertEquals(resp.status_code, 200) #fail w/o csrftoken in payload resp = client.post('/protected-view/', {}) self.assertEquals(resp.status_code, 403)