django-rest-framework/djangorestframework/tests/authentication.py

from django.conf.urls.defaults import patterns
from django.contrib.auth.models import User
from django.test import Client, TestCase

from django.utils import simplejson as json
from django.http import HttpResponse

from djangorestframework.views import APIView
from djangorestframework import permissions

from djangorestframework.tokenauth.models import BasicToken
from djangorestframework.authentication import TokenAuthentication

import base64


class MockView(APIView):
    permission_classes = (permissions.IsAuthenticated,)

    def post(self, request):
        return HttpResponse({'a': 1, 'b': 2, 'c': 3})

    def put(self, request):
        return HttpResponse({'a': 1, 'b': 2, 'c': 3})

MockView.authentication += (TokenAuthentication,)

urlpatterns = patterns('',
    (r'^$', MockView.as_view()),
)


class BasicAuthTests(TestCase):
    """Basic authentication"""
    urls = 'djangorestframework.tests.authentication'

    def setUp(self):
        self.csrf_client = Client(enforce_csrf_checks=True)
        self.username = 'john'
        self.email = 'lennon@thebeatles.com'
        self.password = 'password'
        self.user = User.objects.create_user(self.username, self.email, self.password)

    def test_post_form_passing_basic_auth(self):
        """Ensure POSTing json over basic auth with correct credentials passes and does not require CSRF"""
        auth = 'Basic %s' % base64.encodestring('%s:%s' % (self.username, self.password)).strip()
        response = self.csrf_client.post('/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
        self.assertEqual(response.status_code, 200)

    def test_post_json_passing_basic_auth(self):
        """Ensure POSTing form over basic auth with correct credentials passes and does not require CSRF"""
        auth = 'Basic %s' % base64.encodestring('%s:%s' % (self.username, self.password)).strip()
        response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json', HTTP_AUTHORIZATION=auth)
        self.assertEqual(response.status_code, 200)

    def test_post_form_failing_basic_auth(self):
        """Ensure POSTing form over basic auth without correct credentials fails"""
        response = self.csrf_client.post('/', {'example': 'example'})
        self.assertEqual(response.status_code, 403)

    def test_post_json_failing_basic_auth(self):
        """Ensure POSTing json over basic auth without correct credentials fails"""
        response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json')
        self.assertEqual(response.status_code, 403)


class SessionAuthTests(TestCase):
    """User session authentication"""
    urls = 'djangorestframework.tests.authentication'

    def setUp(self):
        self.csrf_client = Client(enforce_csrf_checks=True)
        self.non_csrf_client = Client(enforce_csrf_checks=False)
        self.username = 'john'
        self.email = 'lennon@thebeatles.com'
        self.password = 'password'
        self.user = User.objects.create_user(self.username, self.email, self.password)

    def tearDown(self):
        self.csrf_client.logout()

    def test_post_form_session_auth_failing_csrf(self):
        """
        Ensure POSTing form over session authentication without CSRF token fails.
        """
        self.csrf_client.login(username=self.username, password=self.password)
        response = self.csrf_client.post('/', {'example': 'example'})
        self.assertEqual(response.status_code, 403)

    def test_post_form_session_auth_passing(self):
        """
        Ensure POSTing form over session authentication with logged in user and CSRF token passes.
        """
        self.non_csrf_client.login(username=self.username, password=self.password)
        response = self.non_csrf_client.post('/', {'example': 'example'})
        self.assertEqual(response.status_code, 200)

    def test_put_form_session_auth_passing(self):
        """
        Ensure PUTting form over session authentication with logged in user and CSRF token passes.
        """
        self.non_csrf_client.login(username=self.username, password=self.password)
        response = self.non_csrf_client.put('/', {'example': 'example'})
        self.assertEqual(response.status_code, 200)

    def test_post_form_session_auth_failing(self):
        """
        Ensure POSTing form over session authentication without logged in user fails.
        """
        response = self.csrf_client.post('/', {'example': 'example'})
        self.assertEqual(response.status_code, 403)


class TokenAuthTests(TestCase):
    """Token authentication"""
    urls = 'djangorestframework.tests.authentication'

    def setUp(self):
        self.csrf_client = Client(enforce_csrf_checks=True)
        self.username = 'john'
        self.email = 'lennon@thebeatles.com'
        self.password = 'password'
        self.user = User.objects.create_user(self.username, self.email, self.password)

        self.key = 'abcd1234'
        self.token = BasicToken.objects.create(key=self.key, user=self.user)

    def test_post_form_passing_token_auth(self):
        """Ensure POSTing json over token auth with correct credentials passes and does not require CSRF"""
        auth = self.key
        response = self.csrf_client.post('/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
        self.assertEqual(response.status_code, 200)

    def test_post_json_passing_token_auth(self):
        """Ensure POSTing form over token auth with correct credentials passes and does not require CSRF"""
        auth = self.key
        response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json', HTTP_AUTHORIZATION=auth)
        self.assertEqual(response.status_code, 200)

    def test_post_form_failing_token_auth(self):
        """Ensure POSTing form over token auth without correct credentials fails"""
        response = self.csrf_client.post('/', {'example': 'example'})
        self.assertEqual(response.status_code, 403)

    def test_post_json_failing_token_auth(self):
        """Ensure POSTing json over token auth without correct credentials fails"""
        response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json')
        self.assertEqual(response.status_code, 403)

    def test_token_has_auto_assigned_key_if_none_provided(self):
        """Ensure creating a token with no key will auto-assign a key"""
        token = BasicToken.objects.create(user=self.user)
        self.assertEqual(len(token.key), 32)
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00			`from django.conf.urls.defaults import patterns`
			`from django.contrib.auth.models import User`
Fixes #35 - Import json from django's built-in package (Does cleverness in determing best lib to use) 2011-04-26 23:20:31 +04:00			`from django.test import Client, TestCase`
Urg. Fix broken merging. 2011-04-27 21:36:43 +04:00
Fix some compat issues with json/simplejson 2011-04-25 07:50:28 +04:00			`from django.utils import simplejson as json`
Response as a subclass of HttpResponse - first draft, not quite there yet. 2012-02-02 20:19:44 +04:00			`from django.http import HttpResponse`
Fix some compat issues with json/simplejson 2011-04-25 07:50:28 +04:00
View -> APIView 2012-09-03 19:54:17 +04:00			`from djangorestframework.views import APIView`
Fix up tests and examples after refactoring 2011-04-27 21:07:28 +04:00			`from djangorestframework import permissions`
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00
Rename the default token class to "BasicToken" 2012-09-07 22:23:53 +04:00			`from djangorestframework.tokenauth.models import BasicToken`
Move TokenAuthentication class into djangorestframework.authentication 2012-09-08 00:12:33 +04:00			`from djangorestframework.authentication import TokenAuthentication`
Add a TokenAuthentication class in a sub-application 2012-09-07 20:53:39 +04:00
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00			`import base64`
Fix some compat issues with json/simplejson 2011-04-25 07:50:28 +04:00
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00
View -> APIView 2012-09-03 19:54:17 +04:00			`class MockView(APIView):`
Remove PermissionsMixin 2012-08-24 23:57:10 +04:00			`permission_classes = (permissions.IsAuthenticated,)`
Add test for PUT with session auth+csrf 2012-01-11 21:22:56 +04:00
depercate auth and content arguments to the request handler methods - yea :) 2011-04-11 20:13:11 +04:00			`def post(self, request):`
Response as a subclass of HttpResponse - first draft, not quite there yet. 2012-02-02 20:19:44 +04:00			`return HttpResponse({'a': 1, 'b': 2, 'c': 3})`
Add test for PUT with session auth+csrf 2012-01-11 21:22:56 +04:00
			`def put(self, request):`
Response as a subclass of HttpResponse - first draft, not quite there yet. 2012-02-02 20:19:44 +04:00			`return HttpResponse({'a': 1, 'b': 2, 'c': 3})`
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00
Add a TokenAuthentication class in a sub-application 2012-09-07 20:53:39 +04:00			`MockView.authentication += (TokenAuthentication,)`

Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00			`urlpatterns = patterns('',`
Decouple views and resources 2011-05-04 12:21:17 +04:00			`(r'^$', MockView.as_view()),`
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00			`)`


			`class BasicAuthTests(TestCase):`
			`"""Basic authentication"""`
			`urls = 'djangorestframework.tests.authentication'`

			`def setUp(self):`
			`self.csrf_client = Client(enforce_csrf_checks=True)`
			`self.username = 'john'`
			`self.email = 'lennon@thebeatles.com'`
			`self.password = 'password'`
whitespace fixes 2011-12-29 17:31:12 +04:00			`self.user = User.objects.create_user(self.username, self.email, self.password)`
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00
			`def test_post_form_passing_basic_auth(self):`
			`"""Ensure POSTing json over basic auth with correct credentials passes and does not require CSRF"""`
			`auth = 'Basic %s' % base64.encodestring('%s:%s' % (self.username, self.password)).strip()`
			`response = self.csrf_client.post('/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)`
			`self.assertEqual(response.status_code, 200)`

			`def test_post_json_passing_basic_auth(self):`
			`"""Ensure POSTing form over basic auth with correct credentials passes and does not require CSRF"""`
			`auth = 'Basic %s' % base64.encodestring('%s:%s' % (self.username, self.password)).strip()`
			`response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json', HTTP_AUTHORIZATION=auth)`
			`self.assertEqual(response.status_code, 200)`

			`def test_post_form_failing_basic_auth(self):`
			`"""Ensure POSTing form over basic auth without correct credentials fails"""`
			`response = self.csrf_client.post('/', {'example': 'example'})`
			`self.assertEqual(response.status_code, 403)`

			`def test_post_json_failing_basic_auth(self):`
			`"""Ensure POSTing json over basic auth without correct credentials fails"""`
			`response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json')`
			`self.assertEqual(response.status_code, 403)`


			`class SessionAuthTests(TestCase):`
			`"""User session authentication"""`
			`urls = 'djangorestframework.tests.authentication'`

			`def setUp(self):`
			`self.csrf_client = Client(enforce_csrf_checks=True)`
			`self.non_csrf_client = Client(enforce_csrf_checks=False)`
			`self.username = 'john'`
			`self.email = 'lennon@thebeatles.com'`
			`self.password = 'password'`
whitespace fixes 2011-12-29 17:31:12 +04:00			`self.user = User.objects.create_user(self.username, self.email, self.password)`
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00
			`def tearDown(self):`
			`self.csrf_client.logout()`

			`def test_post_form_session_auth_failing_csrf(self):`
Docstring tidy up 2012-01-23 13:06:30 +04:00			`"""`
			`Ensure POSTing form over session authentication without CSRF token fails.`
			`"""`
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00			`self.csrf_client.login(username=self.username, password=self.password)`
			`response = self.csrf_client.post('/', {'example': 'example'})`
			`self.assertEqual(response.status_code, 403)`

			`def test_post_form_session_auth_passing(self):`
Docstring tidy up 2012-01-23 13:06:30 +04:00			`"""`
			`Ensure POSTing form over session authentication with logged in user and CSRF token passes.`
			`"""`
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00			`self.non_csrf_client.login(username=self.username, password=self.password)`
			`response = self.non_csrf_client.post('/', {'example': 'example'})`
			`self.assertEqual(response.status_code, 200)`

Add test for PUT with session auth+csrf 2012-01-11 21:22:56 +04:00			`def test_put_form_session_auth_passing(self):`
Docstring tidy up 2012-01-23 13:06:30 +04:00			`"""`
			`Ensure PUTting form over session authentication with logged in user and CSRF token passes.`
			`"""`
Add test for PUT with session auth+csrf 2012-01-11 21:22:56 +04:00			`self.non_csrf_client.login(username=self.username, password=self.password)`
			`response = self.non_csrf_client.put('/', {'example': 'example'})`
			`self.assertEqual(response.status_code, 200)`

Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00			`def test_post_form_session_auth_failing(self):`
Docstring tidy up 2012-01-23 13:06:30 +04:00			`"""`
			`Ensure POSTing form over session authentication without logged in user fails.`
			`"""`
Yowzers. Final big bunch of refactoring for 0.1 release. Now support Django 1.3's views, admin style api is all polished off, loads of tests, new test project for running the test. All sorts of goodness. Getting ready to push this out now. 2011-02-19 13:26:27 +03:00			`response = self.csrf_client.post('/', {'example': 'example'})`
			`self.assertEqual(response.status_code, 403)`
Add a TokenAuthentication class in a sub-application 2012-09-07 20:53:39 +04:00

			`class TokenAuthTests(TestCase):`
			`"""Token authentication"""`
			`urls = 'djangorestframework.tests.authentication'`

			`def setUp(self):`
			`self.csrf_client = Client(enforce_csrf_checks=True)`
			`self.username = 'john'`
			`self.email = 'lennon@thebeatles.com'`
			`self.password = 'password'`
			`self.user = User.objects.create_user(self.username, self.email, self.password)`

			`self.key = 'abcd1234'`
Rename the default token class to "BasicToken" 2012-09-07 22:23:53 +04:00			`self.token = BasicToken.objects.create(key=self.key, user=self.user)`
Add a TokenAuthentication class in a sub-application 2012-09-07 20:53:39 +04:00
			`def test_post_form_passing_token_auth(self):`
			`"""Ensure POSTing json over token auth with correct credentials passes and does not require CSRF"""`
Move TokenAuthentication class into djangorestframework.authentication 2012-09-08 00:12:33 +04:00			`auth = self.key`
Add a TokenAuthentication class in a sub-application 2012-09-07 20:53:39 +04:00			`response = self.csrf_client.post('/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)`
			`self.assertEqual(response.status_code, 200)`

			`def test_post_json_passing_token_auth(self):`
			`"""Ensure POSTing form over token auth with correct credentials passes and does not require CSRF"""`
Move TokenAuthentication class into djangorestframework.authentication 2012-09-08 00:12:33 +04:00			`auth = self.key`
Add a TokenAuthentication class in a sub-application 2012-09-07 20:53:39 +04:00			`response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json', HTTP_AUTHORIZATION=auth)`
			`self.assertEqual(response.status_code, 200)`

			`def test_post_form_failing_token_auth(self):`
			`"""Ensure POSTing form over token auth without correct credentials fails"""`
			`response = self.csrf_client.post('/', {'example': 'example'})`
			`self.assertEqual(response.status_code, 403)`

			`def test_post_json_failing_token_auth(self):`
			`"""Ensure POSTing json over token auth without correct credentials fails"""`
			`response = self.csrf_client.post('/', json.dumps({'example': 'example'}), 'application/json')`
			`self.assertEqual(response.status_code, 403)`
Create a key by default if none is specified 2012-09-07 21:15:24 +04:00
			`def test_token_has_auto_assigned_key_if_none_provided(self):`
			`"""Ensure creating a token with no key will auto-assign a key"""`
Rename the default token class to "BasicToken" 2012-09-07 22:23:53 +04:00			`token = BasicToken.objects.create(user=self.user)`
Create a key by default if none is specified 2012-09-07 21:15:24 +04:00			`self.assertEqual(len(token.key), 32)`