Update test_api.py

s'more tests for my sanity

dj_rest_auth/tests/test_api.py

@@ -671,6 +671,47 @@ class APIBasicTests(TestsMixin, TestCase):
         self.assertEquals(resp.status_code, 200)
 
 
+    @override_settings(REST_USE_JWT=True)
+    @override_settings(JWT_AUTH_COOKIE='jwt-auth')
+    @override_settings(JWT_AUTH_COOKIE_USE_CSRF=False)
+    @override_settings(JWT_AUTH_COOKIE_ENFORCE_CSRF_ON_UNAUTHENTICATED=False)
+    @override_settings(REST_FRAMEWORK=dict(
+        DEFAULT_AUTHENTICATION_CLASSES=[
+            'dj_rest_auth.jwt_auth.JWTCookieAuthentication'
+        ]
+    ))
+    @override_settings(REST_SESSION_LOGIN=False)
+    @override_settings(CSRF_COOKIE_SECURE =True)
+    @override_settings(CSRF_COOKIE_HTTPONLY =True)
+    def test_wo_csrf_enforcement(self): 
+        from .mixins import APIClient
+        payload = {
+            "username": self.USERNAME,
+            "password": self.PASS
+        }
+        client = APIClient(enforce_csrf_checks=True)
+        get_user_model().objects.create_user(self.USERNAME, '', self.PASS)
+        
+        resp = client.post(self.login_url, payload)
+        self.assertTrue('jwt-auth' in list(client.cookies.keys()))
+        self.assertEquals(resp.status_code, 200)
+
+        ## TEST WITH JWT AUTH HEADER
+        jwtclient = APIClient(enforce_csrf_checks=True)
+        token = resp.data['access_token']
+        resp = jwtclient.get('/protected-view/', HTTP_AUTHORIZATION='Bearer '+token)
+        self.assertEquals(resp.status_code, 200)
+        resp = jwtclient.post('/protected-view/', {}, HTTP_AUTHORIZATION='Bearer '+token)
+        self.assertEquals(resp.status_code, 200)
+
+        ## TEST WITH COOKIES
+        resp = client.get('/protected-view/')
+        self.assertEquals(resp.status_code, 200)
+
+        resp = client.post('/protected-view/', {})
+        self.assertEquals(resp.status_code, 200)
+
+
     @override_settings(REST_USE_JWT=True)
     @override_settings(JWT_AUTH_COOKIE='jwt-auth')
     @override_settings(JWT_AUTH_COOKIE_USE_CSRF=True)
@@ -713,6 +754,8 @@ class APIBasicTests(TestsMixin, TestCase):
         self.assertEquals(resp.status_code, 200)
 
         ## TEST WITH COOKIES
+        resp = client.get('/protected-view/')
+        self.assertEquals(resp.status_code, 200)
         #fail w/o csrftoken in payload
         resp = client.post('/protected-view/', {})
         self.assertEquals(resp.status_code, 403)
@@ -759,6 +802,56 @@ class APIBasicTests(TestsMixin, TestCase):
         ## TEST WITH JWT AUTH HEADER does not make sense 
 
         ## TEST WITH COOKIES
+        resp = client.get('/protected-view/')
+        self.assertEquals(resp.status_code, 200)
+        #fail w/o csrftoken in payload
+        resp = client.post('/protected-view/', {})
+        self.assertEquals(resp.status_code, 403)
+
+        csrfparam = {"csrfmiddlewaretoken": csrftoken}
+        resp = client.post('/protected-view/', csrfparam)
+        self.assertEquals(resp.status_code, 200)
+
+
+    @override_settings(REST_USE_JWT=True)
+    @override_settings(JWT_AUTH_COOKIE='jwt-auth')
+    @override_settings(JWT_AUTH_COOKIE_USE_CSRF=False)
+    @override_settings(JWT_AUTH_COOKIE_ENFORCE_CSRF_ON_UNAUTHENTICATED=True) #True at your own risk
+    @override_settings(REST_FRAMEWORK=dict(
+        DEFAULT_AUTHENTICATION_CLASSES=[
+            'dj_rest_auth.jwt_auth.JWTCookieAuthentication'
+        ]
+    ))
+    @override_settings(REST_SESSION_LOGIN=False)
+    @override_settings(CSRF_COOKIE_SECURE =True)
+    @override_settings(CSRF_COOKIE_HTTPONLY =True)
+    def test_csrf_w_login_csrf_enforcement_2(self): 
+        from .mixins import APIClient
+        payload = {
+            "username": self.USERNAME,
+            "password": self.PASS
+        }
+        client = APIClient(enforce_csrf_checks=True)
+        get_user_model().objects.create_user(self.USERNAME, '', self.PASS)
+        
+        response = client.get(reverse("getcsrf"))
+        csrftoken = client.cookies['csrftoken'].value
+        
+        #fail w/o csrftoken in payload
+        resp = client.post(self.login_url, payload)
+        self.assertEquals(resp.status_code, 403)
+
+        payload['csrfmiddlewaretoken'] = csrftoken
+        resp = client.post(self.login_url, payload)
+        self.assertTrue('jwt-auth' in list(client.cookies.keys()))
+        self.assertTrue('csrftoken' in list(client.cookies.keys()))
+        self.assertEquals(resp.status_code, 200)
+
+        ## TEST WITH JWT AUTH HEADER does not make sense 
+
+        ## TEST WITH COOKIES
+        resp = client.get('/protected-view/')
+        self.assertEquals(resp.status_code, 200)
         #fail w/o csrftoken in payload
         resp = client.post('/protected-view/', {})
         self.assertEquals(resp.status_code, 403)