django-rest-framework/tests/test_authentication.py

# coding: utf-8

from __future__ import unicode_literals

import base64

from django.conf.urls import include, url
from django.contrib.auth.models import User
from django.db import models
from django.http import HttpResponse
from django.test import TestCase, override_settings
from django.utils import six

from rest_framework import (
    HTTP_HEADER_ENCODING, exceptions, permissions, renderers, status
)
from rest_framework.authentication import (
    BaseAuthentication, BasicAuthentication, SessionAuthentication,
    TokenAuthentication
)
from rest_framework.authtoken.models import Token
from rest_framework.authtoken.views import obtain_auth_token
from rest_framework.compat import is_authenticated
from rest_framework.response import Response
from rest_framework.test import APIClient, APIRequestFactory
from rest_framework.views import APIView

factory = APIRequestFactory()


class CustomToken(models.Model):
    key = models.CharField(max_length=40, primary_key=True)
    user = models.OneToOneField(User, on_delete=models.CASCADE)


class CustomTokenAuthentication(TokenAuthentication):
    model = CustomToken


class CustomKeywordTokenAuthentication(TokenAuthentication):
    keyword = 'Bearer'


class MockView(APIView):
    permission_classes = (permissions.IsAuthenticated,)

    def get(self, request):
        return HttpResponse({'a': 1, 'b': 2, 'c': 3})

    def post(self, request):
        return HttpResponse({'a': 1, 'b': 2, 'c': 3})

    def put(self, request):
        return HttpResponse({'a': 1, 'b': 2, 'c': 3})


urlpatterns = [
    url(
        r'^session/$',
        MockView.as_view(authentication_classes=[SessionAuthentication])
    ),
    url(
        r'^basic/$',
        MockView.as_view(authentication_classes=[BasicAuthentication])
    ),
    url(
        r'^token/$',
        MockView.as_view(authentication_classes=[TokenAuthentication])
    ),
    url(
        r'^customtoken/$',
        MockView.as_view(authentication_classes=[CustomTokenAuthentication])
    ),
    url(
        r'^customkeywordtoken/$',
        MockView.as_view(
            authentication_classes=[CustomKeywordTokenAuthentication]
        )
    ),
    url(r'^auth-token/$', obtain_auth_token),
    url(r'^auth/', include('rest_framework.urls', namespace='rest_framework')),
]


@override_settings(ROOT_URLCONF='tests.test_authentication')
class BasicAuthTests(TestCase):
    """Basic authentication"""
    def setUp(self):
        self.csrf_client = APIClient(enforce_csrf_checks=True)
        self.username = 'john'
        self.email = 'lennon@thebeatles.com'
        self.password = 'password'
        self.user = User.objects.create_user(
            self.username, self.email, self.password
        )

    def test_post_form_passing_basic_auth(self):
        """Ensure POSTing json over basic auth with correct credentials passes and does not require CSRF"""
        credentials = ('%s:%s' % (self.username, self.password))
        base64_credentials = base64.b64encode(
            credentials.encode(HTTP_HEADER_ENCODING)
        ).decode(HTTP_HEADER_ENCODING)
        auth = 'Basic %s' % base64_credentials
        response = self.csrf_client.post(
            '/basic/',
            {'example': 'example'},
            HTTP_AUTHORIZATION=auth
        )
        self.assertEqual(response.status_code, status.HTTP_200_OK)

    def test_post_json_passing_basic_auth(self):
        """Ensure POSTing form over basic auth with correct credentials passes and does not require CSRF"""
        credentials = ('%s:%s' % (self.username, self.password))
        base64_credentials = base64.b64encode(
            credentials.encode(HTTP_HEADER_ENCODING)
        ).decode(HTTP_HEADER_ENCODING)
        auth = 'Basic %s' % base64_credentials
        response = self.csrf_client.post(
            '/basic/',
            {'example': 'example'},
            format='json',
            HTTP_AUTHORIZATION=auth
        )
        self.assertEqual(response.status_code, status.HTTP_200_OK)

    def test_regression_handle_bad_base64_basic_auth_header(self):
        """Ensure POSTing JSON over basic auth with incorrectly padded Base64 string is handled correctly"""
        # regression test for issue in 'rest_framework.authentication.BasicAuthentication.authenticate'
        # https://github.com/tomchristie/django-rest-framework/issues/4089
        auth = 'Basic =a='
        response = self.csrf_client.post(
            '/basic/',
            {'example': 'example'},
            format='json',
            HTTP_AUTHORIZATION=auth
        )
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)

    def test_post_form_failing_basic_auth(self):
        """Ensure POSTing form over basic auth without correct credentials fails"""
        response = self.csrf_client.post('/basic/', {'example': 'example'})
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)

    def test_post_json_failing_basic_auth(self):
        """Ensure POSTing json over basic auth without correct credentials fails"""
        response = self.csrf_client.post(
            '/basic/',
            {'example': 'example'},
            format='json'
        )
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
        self.assertEqual(response['WWW-Authenticate'], 'Basic realm="api"')


@override_settings(ROOT_URLCONF='tests.test_authentication')
class SessionAuthTests(TestCase):
    """User session authentication"""
    def setUp(self):
        self.csrf_client = APIClient(enforce_csrf_checks=True)
        self.non_csrf_client = APIClient(enforce_csrf_checks=False)
        self.username = 'john'
        self.email = 'lennon@thebeatles.com'
        self.password = 'password'
        self.user = User.objects.create_user(
            self.username, self.email, self.password
        )

    def tearDown(self):
        self.csrf_client.logout()

    def test_login_view_renders_on_get(self):
        """
        Ensure the login template renders for a basic GET.

        cf. [#1810](https://github.com/tomchristie/django-rest-framework/pull/1810)
        """
        response = self.csrf_client.get('/auth/login/')
        self.assertContains(
            response, '<label for="id_username">Username:</label>'
        )

    def test_post_form_session_auth_failing_csrf(self):
        """
        Ensure POSTing form over session authentication without CSRF token fails.
        """
        self.csrf_client.login(username=self.username, password=self.password)
        response = self.csrf_client.post('/session/', {'example': 'example'})
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

    def test_post_form_session_auth_passing(self):
        """
        Ensure POSTing form over session authentication with logged in
        user and CSRF token passes.
        """
        self.non_csrf_client.login(
            username=self.username, password=self.password
        )
        response = self.non_csrf_client.post(
            '/session/', {'example': 'example'}
        )
        self.assertEqual(response.status_code, status.HTTP_200_OK)

    def test_put_form_session_auth_passing(self):
        """
        Ensure PUTting form over session authentication with
        logged in user and CSRF token passes.
        """
        self.non_csrf_client.login(
            username=self.username, password=self.password
        )
        response = self.non_csrf_client.put(
            '/session/', {'example': 'example'}
        )
        self.assertEqual(response.status_code, status.HTTP_200_OK)

    def test_post_form_session_auth_failing(self):
        """
        Ensure POSTing form over session authentication without logged in user fails.
        """
        response = self.csrf_client.post('/session/', {'example': 'example'})
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)


class BaseTokenAuthTests(object):
    """Token authentication"""
    model = None
    path = None
    header_prefix = 'Token '

    def setUp(self):
        self.csrf_client = APIClient(enforce_csrf_checks=True)
        self.username = 'john'
        self.email = 'lennon@thebeatles.com'
        self.password = 'password'
        self.user = User.objects.create_user(
            self.username, self.email, self.password
        )

        self.key = 'abcd1234'
        self.token = self.model.objects.create(key=self.key, user=self.user)

    def test_post_form_passing_token_auth(self):
        """
        Ensure POSTing json over token auth with correct
        credentials passes and does not require CSRF
        """
        auth = self.header_prefix + self.key
        response = self.csrf_client.post(
            self.path, {'example': 'example'}, HTTP_AUTHORIZATION=auth
        )
        self.assertEqual(response.status_code, status.HTTP_200_OK)

    def test_fail_post_form_passing_nonexistent_token_auth(self):
        # use a nonexistent token key
        auth = self.header_prefix + 'wxyz6789'
        response = self.csrf_client.post(
            self.path, {'example': 'example'}, HTTP_AUTHORIZATION=auth
        )
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)

    def test_fail_post_form_passing_invalid_token_auth(self):
        # add an 'invalid' unicode character
        auth = self.header_prefix + self.key + "¸"
        response = self.csrf_client.post(
            self.path, {'example': 'example'}, HTTP_AUTHORIZATION=auth
        )
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)

    def test_post_json_passing_token_auth(self):
        """
        Ensure POSTing form over token auth with correct
        credentials passes and does not require CSRF
        """
        auth = self.header_prefix + self.key
        response = self.csrf_client.post(
            self.path, {'example': 'example'},
            format='json', HTTP_AUTHORIZATION=auth
        )
        self.assertEqual(response.status_code, status.HTTP_200_OK)

    def test_post_json_makes_one_db_query(self):
        """
        Ensure that authenticating a user using a
        token performs only one DB query
        """
        auth = self.header_prefix + self.key

        def func_to_test():
            return self.csrf_client.post(
                self.path, {'example': 'example'},
                format='json', HTTP_AUTHORIZATION=auth
            )

        self.assertNumQueries(1, func_to_test)

    def test_post_form_failing_token_auth(self):
        """
        Ensure POSTing form over token auth without correct credentials fails
        """
        response = self.csrf_client.post(self.path, {'example': 'example'})
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)

    def test_post_json_failing_token_auth(self):
        """
        Ensure POSTing json over token auth without correct credentials fails
        """
        response = self.csrf_client.post(
            self.path, {'example': 'example'}, format='json'
        )
        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)


@override_settings(ROOT_URLCONF='tests.test_authentication')
class TokenAuthTests(BaseTokenAuthTests, TestCase):
    model = Token
    path = '/token/'

    def test_token_has_auto_assigned_key_if_none_provided(self):
        """Ensure creating a token with no key will auto-assign a key"""
        self.token.delete()
        token = self.model.objects.create(user=self.user)
        self.assertTrue(bool(token.key))

    def test_generate_key_returns_string(self):
        """Ensure generate_key returns a string"""
        token = self.model()
        key = token.generate_key()
        self.assertTrue(isinstance(key, six.string_types))

    def test_token_login_json(self):
        """Ensure token login view using JSON POST works."""
        client = APIClient(enforce_csrf_checks=True)
        response = client.post(
            '/auth-token/',
            {'username': self.username, 'password': self.password},
            format='json'
        )
        self.assertEqual(response.status_code, status.HTTP_200_OK)
        self.assertEqual(response.data['token'], self.key)

    def test_token_login_json_bad_creds(self):
        """
        Ensure token login view using JSON POST fails if
        bad credentials are used
        """
        client = APIClient(enforce_csrf_checks=True)
        response = client.post(
            '/auth-token/',
            {'username': self.username, 'password': "badpass"},
            format='json'
        )
        self.assertEqual(response.status_code, 400)

    def test_token_login_json_missing_fields(self):
        """Ensure token login view using JSON POST fails if missing fields."""
        client = APIClient(enforce_csrf_checks=True)
        response = client.post('/auth-token/',
                               {'username': self.username}, format='json')
        self.assertEqual(response.status_code, 400)

    def test_token_login_form(self):
        """Ensure token login view using form POST works."""
        client = APIClient(enforce_csrf_checks=True)
        response = client.post('/auth-token/',
                               {'username': self.username, 'password': self.password})
        self.assertEqual(response.status_code, status.HTTP_200_OK)
        self.assertEqual(response.data['token'], self.key)


@override_settings(ROOT_URLCONF='tests.test_authentication')
class CustomTokenAuthTests(BaseTokenAuthTests, TestCase):
    model = CustomToken
    path = '/customtoken/'


@override_settings(ROOT_URLCONF='tests.test_authentication')
class CustomKeywordTokenAuthTests(BaseTokenAuthTests, TestCase):
    model = Token
    path = '/customkeywordtoken/'
    header_prefix = 'Bearer '


class IncorrectCredentialsTests(TestCase):
    def test_incorrect_credentials(self):
        """
        If a request contains bad authentication credentials, then
        authentication should run and error, even if no permissions
        are set on the view.
        """
        class IncorrectCredentialsAuth(BaseAuthentication):
            def authenticate(self, request):
                raise exceptions.AuthenticationFailed('Bad credentials')

        request = factory.get('/')
        view = MockView.as_view(
            authentication_classes=(IncorrectCredentialsAuth,),
            permission_classes=()
        )
        response = view(request)
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
        self.assertEqual(response.data, {'detail': 'Bad credentials'})


class FailingAuthAccessedInRenderer(TestCase):
    def setUp(self):
        class AuthAccessingRenderer(renderers.BaseRenderer):
            media_type = 'text/plain'
            format = 'txt'

            def render(self, data, media_type=None, renderer_context=None):
                request = renderer_context['request']
                if is_authenticated(request.user):
                    return b'authenticated'
                return b'not authenticated'

        class FailingAuth(BaseAuthentication):
            def authenticate(self, request):
                raise exceptions.AuthenticationFailed('authentication failed')

        class ExampleView(APIView):
            authentication_classes = (FailingAuth,)
            renderer_classes = (AuthAccessingRenderer,)

            def get(self, request):
                return Response({'foo': 'bar'})

        self.view = ExampleView.as_view()

    def test_failing_auth_accessed_in_renderer(self):
        """
        When authentication fails the renderer should still be able to access
        `request.user` without raising an exception. Particularly relevant
        to HTML responses that might reasonably access `request.user`.
        """
        request = factory.get('/')
        response = self.view(request)
        content = response.render().content
        self.assertEqual(content, b'not authenticated')


class NoAuthenticationClassesTests(TestCase):
    def test_permission_message_with_no_authentication_classes(self):
        """
        An unauthenticated request made against a view that contains no
        `authentication_classes` but do contain `permissions_classes` the error
        code returned should be 403 with the exception's message.
        """

        class DummyPermission(permissions.BasePermission):
            message = 'Dummy permission message'

            def has_permission(self, request, view):
                return False

        request = factory.get('/')
        view = MockView.as_view(
            authentication_classes=(),
            permission_classes=(DummyPermission,),
        )
        response = view(request)
        self.assertEqual(response.status_code,
                         status.HTTP_403_FORBIDDEN)
        self.assertEqual(response.data, {'detail': 'Dummy permission message'})
-												Handle invalid characters in  headers

											
										
										
											2015-06-03 20:55:34 +03:00
+								# coding: utf-8
-.2, 3.3 compat

											
										
										
											2013-02-01 18:03:28 +04:00
+								from __future__ import unicode_literals
-												Sort imports with isort
											
										
										
											2015-06-25 23:55:51 +03:00
 								import base64
 								from django.conf.urls import include, url
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								from django.contrib.auth.models import User
-												fix import order

											
										
										
											2016-01-05 19:20:22 +03:00
+								from django.db import models
-												urls, patterns, include imports move to compat to support incoming 1.3 thru 1.6 import compatability

											
										
										
											2012-12-20 03:12:27 +04:00
+								from django.http import HttpResponse
-												Django 1.10 support. (#4158)

* Added TEMPLATES setting to tests
* Remove deprecated view-string in URL conf
* Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...')
* Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style
* Get model managers and names in a version-compatible manner.
* Apply override_settings to a TestCase, not a mixin class
* Use '.callback' property instead of private attributes when inspecting urlpatterns
* Pass 'user' to template explicitly
* Correct sorting of import statements.
* Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES.
* Remove code style issue
* BaseFilter test requires a concrete model
* Resolve tox.ini issues
* Resolve isort differences between local and tox environments

											
										
										
											2016-06-01 17:31:00 +03:00
+								from django.test import TestCase, override_settings
-												Moved OAuth support out of DRF and into a separate package, per #1767

											
										
										
											2014-09-06 02:30:01 +04:00
+								from django.utils import six
-												Sort imports with isort
											
										
										
											2015-06-25 23:55:51 +03:00
 								from rest_framework import (
 								    HTTP_HEADER_ENCODING, exceptions, permissions, renderers, status
 								)
-												Auth is no longer lazy.  Closes #667.

More consistent auth failure behavior.

											
										
										
											2013-02-28 21:58:58 +04:00
+								from rest_framework.authentication import (
-												Sort imports with isort
											
										
										
											2015-06-25 23:55:51 +03:00
+								    BaseAuthentication, BasicAuthentication, SessionAuthentication,
 								    TokenAuthentication
-												Auth is no longer lazy.  Closes #667.

More consistent auth failure behavior.

											
										
										
											2013-02-28 21:58:58 +04:00
+								)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								from rest_framework.authtoken.models import Token
-												Django 1.10 support. (#4158)

* Added TEMPLATES setting to tests
* Remove deprecated view-string in URL conf
* Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...')
* Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style
* Get model managers and names in a version-compatible manner.
* Apply override_settings to a TestCase, not a mixin class
* Use '.callback' property instead of private attributes when inspecting urlpatterns
* Pass 'user' to template explicitly
* Correct sorting of import statements.
* Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES.
* Remove code style issue
* BaseFilter test requires a concrete model
* Resolve tox.ini issues
* Resolve isort differences between local and tox environments

											
										
										
											2016-06-01 17:31:00 +03:00
+								from rest_framework.authtoken.views import obtain_auth_token
-												Version 3.5 (#4525)

* Start test case

* Added 'requests' test client

* Address typos

* Graceful fallback if requests is not installed.

* Add cookie support

* Tests for auth and CSRF

* Py3 compat

* py3 compat

* py3 compat

* Add get_requests_client

* Added SchemaGenerator.should_include_link

* add settings for html cutoff on related fields

* Router doesn't work if prefix is blank, though project urls.py handles prefix

* Fix Django 1.10 to-many deprecation

* Add django.core.urlresolvers compatibility

* Update django-filter & django-guardian

* Check for empty router prefix; adjust URL accordingly

It's easiest to fix this issue after we have made the regex.  To try
to fix it before would require doing something different for List vs
Detail, which means we'd have to know which type of url we're
constructing before acting accordingly.

* Fix misc django deprecations

* Use TOC extension instead of header

* Fix deprecations for py3k

* Add py3k compatibility to is_simple_callable

* Add is_simple_callable tests

* Drop python 3.2 support (EOL, Dropped by Django)

* schema_renderers= should *set* the renderers, not append to them.

* API client (#4424)

* Fix release notes

* Add note about 'User account is disabled.' vs 'Unable to log in'

* Clean up schema generation (#4527)

* Handle multiple methods on custom action (#4529)

* RequestsClient, CoreAPIClient

* exclude_from_schema

* Added 'get_schema_view()' shortcut

* Added schema descriptions

* Better descriptions for schemas

* Add type annotation to schema generation

* Coerce schema 'pk' in path to actual field name

* Deprecations move into assertion errors

* Use get_schema_view in tests

* Updte CoreJSON media type

* Handle schema structure correctly when path prefixs exist. Closes #4401

* Add PendingDeprecation to Router schema generation.

* Added SCHEMA_COERCE_PATH_PK and SCHEMA_COERCE_METHOD_NAMES

* Renamed and documented 'get_schema_fields' interface.

											
										
										
											2016-10-10 15:03:46 +03:00
+								from rest_framework.compat import is_authenticated
-												Sort imports with isort
											
										
										
											2015-06-25 23:55:51 +03:00
+								from rest_framework.response import Response
 								from rest_framework.test import APIClient, APIRequestFactory
-												urls, patterns, include imports move to compat to support incoming 1.3 thru 1.6 import compatability

											
										
										
											2012-12-20 03:12:27 +04:00
+								from rest_framework.views import APIView
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
-												Added APIRequestFactory

											
										
										
											2013-06-28 20:17:39 +04:00
+								factory = APIRequestFactory()
-												Auth is no longer lazy.  Closes #667.

More consistent auth failure behavior.

											
										
										
											2013-02-28 21:58:58 +04:00
-												test custom token model

											
										
										
											2016-01-05 18:58:16 +03:00
+								class CustomToken(models.Model):
 								    key = models.CharField(max_length=40, primary_key=True)
-												Clean up existing deprecation warnings. (#4166)

* Add Meta.fields = '__all__' to serializer classes where required.
* Add explicit on_delete=models.CASCADE to ForeignKey fields.
* Use '.remote_field' and '.model' in preference to '.rel' and '.to' when inspecting model fields.
* Use new value_from_object in preference to internal _get_val_from_obj

											
										
										
											2016-06-02 16:39:10 +03:00
+								    user = models.OneToOneField(User, on_delete=models.CASCADE)
-												test custom token model

											
										
										
											2016-01-05 18:58:16 +03:00
 								class CustomTokenAuthentication(TokenAuthentication):
 								    model = CustomToken
-												TokenAuthentication: Allow custom keyword in the header (#4097)

This allows subclassing TokenAuthentication and setting custom keyword,
thus allowing the Authorization header to be for example:

    Bearer 956e252a-513c-48c5-92dd-bfddc364e812

It doesn't change the behavior of TokenAuthentication itself,
it simply allows to reuse the logic of TokenAuthentication without
the need of copy pasting the class and changing one hardcoded string.

Related: #4080

											
										
										
											2016-05-04 12:53:34 +03:00
+								class CustomKeywordTokenAuthentication(TokenAuthentication):
 								    keyword = 'Bearer'
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								class MockView(APIView):
 								    permission_classes = (permissions.IsAuthenticated,)
-												Auth is no longer lazy.  Closes #667.

More consistent auth failure behavior.

											
										
										
											2013-02-28 21:58:58 +04:00
+								    def get(self, request):
 								        return HttpResponse({'a': 1, 'b': 2, 'c': 3})
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								    def post(self, request):
 								        return HttpResponse({'a': 1, 'b': 2, 'c': 3})
 								    def put(self, request):
 								        return HttpResponse({'a': 1, 'b': 2, 'c': 3})
-												Auth is no longer lazy.  Closes #667.

More consistent auth failure behavior.

											
										
										
											2013-02-28 21:58:58 +04:00
-												Remove `django.conf.urls.pattern` as it'll be removed in Django 2.0

											
										
										
											2015-06-11 01:45:23 +03:00
+								urlpatterns = [
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								    url(
 								        r'^session/$',
 								        MockView.as_view(authentication_classes=[SessionAuthentication])
 								    ),
 								    url(
 								        r'^basic/$',
 								        MockView.as_view(authentication_classes=[BasicAuthentication])
 								    ),
 								    url(
 								        r'^token/$',
 								        MockView.as_view(authentication_classes=[TokenAuthentication])
 								    ),
 								    url(
 								        r'^customtoken/$',
 								        MockView.as_view(authentication_classes=[CustomTokenAuthentication])
 								    ),
 								    url(
 								        r'^customkeywordtoken/$',
 								        MockView.as_view(
 								            authentication_classes=[CustomKeywordTokenAuthentication]
 								        )
 								    ),
-												Django 1.10 support. (#4158)

* Added TEMPLATES setting to tests
* Remove deprecated view-string in URL conf
* Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...')
* Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style
* Get model managers and names in a version-compatible manner.
* Apply override_settings to a TestCase, not a mixin class
* Use '.callback' property instead of private attributes when inspecting urlpatterns
* Pass 'user' to template explicitly
* Correct sorting of import statements.
* Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES.
* Remove code style issue
* BaseFilter test requires a concrete model
* Resolve tox.ini issues
* Resolve isort differences between local and tox environments

											
										
										
											2016-06-01 17:31:00 +03:00
+								    url(r'^auth-token/$', obtain_auth_token),
-												Define the `urlpatterns` as a list of `url()....

											
										
										
											2015-06-11 02:01:47 +03:00
+								    url(r'^auth/', include('rest_framework.urls', namespace='rest_framework')),
-												Remove `django.conf.urls.pattern` as it'll be removed in Django 2.0

											
										
										
											2015-06-11 01:45:23 +03:00
+								]
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
-												Code linting and added runtests.py

											
										
										
											2014-08-19 16:28:07 +04:00
-												Django 1.10 support. (#4158)

* Added TEMPLATES setting to tests
* Remove deprecated view-string in URL conf
* Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...')
* Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style
* Get model managers and names in a version-compatible manner.
* Apply override_settings to a TestCase, not a mixin class
* Use '.callback' property instead of private attributes when inspecting urlpatterns
* Pass 'user' to template explicitly
* Correct sorting of import statements.
* Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES.
* Remove code style issue
* BaseFilter test requires a concrete model
* Resolve tox.ini issues
* Resolve isort differences between local and tox environments

											
										
										
											2016-06-01 17:31:00 +03:00
+								@override_settings(ROOT_URLCONF='tests.test_authentication')
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								class BasicAuthTests(TestCase):
 								    """Basic authentication"""
 								    def setUp(self):
-												Added APIClient

											
										
										
											2013-06-28 20:50:30 +04:00
+								        self.csrf_client = APIClient(enforce_csrf_checks=True)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								        self.username = 'john'
 								        self.email = 'lennon@thebeatles.com'
 								        self.password = 'password'
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        self.user = User.objects.create_user(
 								            self.username, self.email, self.password
 								        )
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
 								    def test_post_form_passing_basic_auth(self):
 								        """Ensure POSTing json over basic auth with correct credentials passes and does not require CSRF"""
-.2, 3.3 compat

											
										
										
											2013-02-01 18:03:28 +04:00
+								        credentials = ('%s:%s' % (self.username, self.password))
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        base64_credentials = base64.b64encode(
 								            credentials.encode(HTTP_HEADER_ENCODING)
 								        ).decode(HTTP_HEADER_ENCODING)
-.2, 3.3 compat

											
										
										
											2013-02-01 18:03:28 +04:00
+								        auth = 'Basic %s' % base64_credentials
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        response = self.csrf_client.post(
 								            '/basic/',
 								            {'example': 'example'},
 								            HTTP_AUTHORIZATION=auth
 								        )
-												Replaced status numbers with the statuses constants from the status model.

											
										
										
											2013-02-25 17:59:40 +04:00
+								        self.assertEqual(response.status_code, status.HTTP_200_OK)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
 								    def test_post_json_passing_basic_auth(self):
 								        """Ensure POSTing form over basic auth with correct credentials passes and does not require CSRF"""
-.2, 3.3 compat

											
										
										
											2013-02-01 18:03:28 +04:00
+								        credentials = ('%s:%s' % (self.username, self.password))
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        base64_credentials = base64.b64encode(
 								            credentials.encode(HTTP_HEADER_ENCODING)
 								        ).decode(HTTP_HEADER_ENCODING)
-.2, 3.3 compat

											
										
										
											2013-02-01 18:03:28 +04:00
+								        auth = 'Basic %s' % base64_credentials
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        response = self.csrf_client.post(
 								            '/basic/',
 								            {'example': 'example'},
 								            format='json',
 								            HTTP_AUTHORIZATION=auth
 								        )
-												Replaced status numbers with the statuses constants from the status model.

											
										
										
											2013-02-25 17:59:40 +04:00
+								        self.assertEqual(response.status_code, status.HTTP_200_OK)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
-												Handle incorrectly padded HTTP basic auth header (#4090)
											
										
										
											2016-05-03 11:24:55 +03:00
+								    def test_regression_handle_bad_base64_basic_auth_header(self):
 								        """Ensure POSTing JSON over basic auth with incorrectly padded Base64 string is handled correctly"""
 								        # regression test for issue in 'rest_framework.authentication.BasicAuthentication.authenticate'
 								        # https://github.com/tomchristie/django-rest-framework/issues/4089
 								        auth = 'Basic =a='
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        response = self.csrf_client.post(
 								            '/basic/',
 								            {'example': 'example'},
 								            format='json',
 								            HTTP_AUTHORIZATION=auth
 								        )
-												Handle incorrectly padded HTTP basic auth header (#4090)
											
										
										
											2016-05-03 11:24:55 +03:00
+								        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								    def test_post_form_failing_basic_auth(self):
 								        """Ensure POSTing form over basic auth without correct credentials fails"""
-												WWW-Authenticate responses

											
										
										
											2013-01-22 01:29:49 +04:00
+								        response = self.csrf_client.post('/basic/', {'example': 'example'})
-												Replaced status numbers with the statuses constants from the status model.

											
										
										
											2013-02-25 17:59:40 +04:00
+								        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
 								    def test_post_json_failing_basic_auth(self):
 								        """Ensure POSTing json over basic auth without correct credentials fails"""
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        response = self.csrf_client.post(
 								            '/basic/',
 								            {'example': 'example'},
 								            format='json'
 								        )
-												Replaced status numbers with the statuses constants from the status model.

											
										
										
											2013-02-25 17:59:40 +04:00
+								        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
-												WWW-Authenticate responses

											
										
										
											2013-01-22 01:29:49 +04:00
+								        self.assertEqual(response['WWW-Authenticate'], 'Basic realm="api"')
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
-												Django 1.10 support. (#4158)

* Added TEMPLATES setting to tests
* Remove deprecated view-string in URL conf
* Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...')
* Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style
* Get model managers and names in a version-compatible manner.
* Apply override_settings to a TestCase, not a mixin class
* Use '.callback' property instead of private attributes when inspecting urlpatterns
* Pass 'user' to template explicitly
* Correct sorting of import statements.
* Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES.
* Remove code style issue
* BaseFilter test requires a concrete model
* Resolve tox.ini issues
* Resolve isort differences between local and tox environments

											
										
										
											2016-06-01 17:31:00 +03:00
+								@override_settings(ROOT_URLCONF='tests.test_authentication')
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								class SessionAuthTests(TestCase):
 								    """User session authentication"""
 								    def setUp(self):
-												Added APIClient

											
										
										
											2013-06-28 20:50:30 +04:00
+								        self.csrf_client = APIClient(enforce_csrf_checks=True)
 								        self.non_csrf_client = APIClient(enforce_csrf_checks=False)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								        self.username = 'john'
 								        self.email = 'lennon@thebeatles.com'
 								        self.password = 'password'
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        self.user = User.objects.create_user(
 								            self.username, self.email, self.password
 								        )
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
 								    def tearDown(self):
 								        self.csrf_client.logout()
-												Regression for #1810: Test login view renders

											
										
										
											2014-09-01 12:07:05 +04:00
+								    def test_login_view_renders_on_get(self):
 								        """
 								        Ensure the login template renders for a basic GET.
 								        cf. [#1810](https://github.com/tomchristie/django-rest-framework/pull/1810)
 								        """
 								        response = self.csrf_client.get('/auth/login/')
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        self.assertContains(
 								            response, '<label for="id_username">Username:</label>'
 								        )
-												Regression for #1810: Test login view renders

											
										
										
											2014-09-01 12:07:05 +04:00
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								    def test_post_form_session_auth_failing_csrf(self):
 								        """
 								        Ensure POSTing form over session authentication without CSRF token fails.
 								        """
 								        self.csrf_client.login(username=self.username, password=self.password)
-												WWW-Authenticate responses

											
										
										
											2013-01-22 01:29:49 +04:00
+								        response = self.csrf_client.post('/session/', {'example': 'example'})
-												Replaced status numbers with the statuses constants from the status model.

											
										
										
											2013-02-25 17:59:40 +04:00
+								        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
 								    def test_post_form_session_auth_passing(self):
 								        """
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        Ensure POSTing form over session authentication with logged in
 								        user and CSRF token passes.
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								        """
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        self.non_csrf_client.login(
 								            username=self.username, password=self.password
 								        )
 								        response = self.non_csrf_client.post(
 								            '/session/', {'example': 'example'}
 								        )
-												Replaced status numbers with the statuses constants from the status model.

											
										
										
											2013-02-25 17:59:40 +04:00
+								        self.assertEqual(response.status_code, status.HTTP_200_OK)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
 								    def test_put_form_session_auth_passing(self):
 								        """
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        Ensure PUTting form over session authentication with
 								        logged in user and CSRF token passes.
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								        """
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        self.non_csrf_client.login(
 								            username=self.username, password=self.password
 								        )
 								        response = self.non_csrf_client.put(
 								            '/session/', {'example': 'example'}
 								        )
-												Replaced status numbers with the statuses constants from the status model.

											
										
										
											2013-02-25 17:59:40 +04:00
+								        self.assertEqual(response.status_code, status.HTTP_200_OK)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
 								    def test_post_form_session_auth_failing(self):
 								        """
 								        Ensure POSTing form over session authentication without logged in user fails.
 								        """
-												WWW-Authenticate responses

											
										
										
											2013-01-22 01:29:49 +04:00
+								        response = self.csrf_client.post('/session/', {'example': 'example'})
-												Replaced status numbers with the statuses constants from the status model.

											
										
										
											2013-02-25 17:59:40 +04:00
+								        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
-												test custom token model

											
										
										
											2016-01-05 18:58:16 +03:00
+								class BaseTokenAuthTests(object):
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								    """Token authentication"""
-												test custom token model

											
										
										
											2016-01-05 18:58:16 +03:00
+								    model = None
 								    path = None
-												TokenAuthentication: Allow custom keyword in the header (#4097)

This allows subclassing TokenAuthentication and setting custom keyword,
thus allowing the Authorization header to be for example:

    Bearer 956e252a-513c-48c5-92dd-bfddc364e812

It doesn't change the behavior of TokenAuthentication itself,
it simply allows to reuse the logic of TokenAuthentication without
the need of copy pasting the class and changing one hardcoded string.

Related: #4080

											
										
										
											2016-05-04 12:53:34 +03:00
+								    header_prefix = 'Token '
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
 								    def setUp(self):
-												Added APIClient

											
										
										
											2013-06-28 20:50:30 +04:00
+								        self.csrf_client = APIClient(enforce_csrf_checks=True)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								        self.username = 'john'
 								        self.email = 'lennon@thebeatles.com'
 								        self.password = 'password'
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        self.user = User.objects.create_user(
 								            self.username, self.email, self.password
 								        )
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
 								        self.key = 'abcd1234'
-												test custom token model

											
										
										
											2016-01-05 18:58:16 +03:00
+								        self.token = self.model.objects.create(key=self.key, user=self.user)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
 								    def test_post_form_passing_token_auth(self):
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        """
 								        Ensure POSTing json over token auth with correct
 								        credentials passes and does not require CSRF
 								        """
-												TokenAuthentication: Allow custom keyword in the header (#4097)

This allows subclassing TokenAuthentication and setting custom keyword,
thus allowing the Authorization header to be for example:

    Bearer 956e252a-513c-48c5-92dd-bfddc364e812

It doesn't change the behavior of TokenAuthentication itself,
it simply allows to reuse the logic of TokenAuthentication without
the need of copy pasting the class and changing one hardcoded string.

Related: #4080

											
										
										
											2016-05-04 12:53:34 +03:00
+								        auth = self.header_prefix + self.key
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        response = self.csrf_client.post(
 								            self.path, {'example': 'example'}, HTTP_AUTHORIZATION=auth
 								        )
-												Replaced status numbers with the statuses constants from the status model.

											
										
										
											2013-02-25 17:59:40 +04:00
+								        self.assertEqual(response.status_code, status.HTTP_200_OK)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
-												update invalid token case

											
										
										
											2016-01-05 18:42:22 +03:00
+								    def test_fail_post_form_passing_nonexistent_token_auth(self):
 								        # use a nonexistent token key
-												TokenAuthentication: Allow custom keyword in the header (#4097)

This allows subclassing TokenAuthentication and setting custom keyword,
thus allowing the Authorization header to be for example:

    Bearer 956e252a-513c-48c5-92dd-bfddc364e812

It doesn't change the behavior of TokenAuthentication itself,
it simply allows to reuse the logic of TokenAuthentication without
the need of copy pasting the class and changing one hardcoded string.

Related: #4080

											
										
										
											2016-05-04 12:53:34 +03:00
+								        auth = self.header_prefix + 'wxyz6789'
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        response = self.csrf_client.post(
 								            self.path, {'example': 'example'}, HTTP_AUTHORIZATION=auth
 								        )
-												update invalid token case

											
										
										
											2016-01-05 18:42:22 +03:00
+								        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
-												Handle invalid characters in  headers

											
										
										
											2015-06-03 20:55:34 +03:00
+								    def test_fail_post_form_passing_invalid_token_auth(self):
 								        # add an 'invalid' unicode character
-												TokenAuthentication: Allow custom keyword in the header (#4097)

This allows subclassing TokenAuthentication and setting custom keyword,
thus allowing the Authorization header to be for example:

    Bearer 956e252a-513c-48c5-92dd-bfddc364e812

It doesn't change the behavior of TokenAuthentication itself,
it simply allows to reuse the logic of TokenAuthentication without
the need of copy pasting the class and changing one hardcoded string.

Related: #4080

											
										
										
											2016-05-04 12:53:34 +03:00
+								        auth = self.header_prefix + self.key + "¸"
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        response = self.csrf_client.post(
 								            self.path, {'example': 'example'}, HTTP_AUTHORIZATION=auth
 								        )
-												Handle invalid characters in  headers

											
										
										
											2015-06-03 20:55:34 +03:00
+								        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								    def test_post_json_passing_token_auth(self):
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        """
 								        Ensure POSTing form over token auth with correct
 								        credentials passes and does not require CSRF
 								        """
-												TokenAuthentication: Allow custom keyword in the header (#4097)

This allows subclassing TokenAuthentication and setting custom keyword,
thus allowing the Authorization header to be for example:

    Bearer 956e252a-513c-48c5-92dd-bfddc364e812

It doesn't change the behavior of TokenAuthentication itself,
it simply allows to reuse the logic of TokenAuthentication without
the need of copy pasting the class and changing one hardcoded string.

Related: #4080

											
										
										
											2016-05-04 12:53:34 +03:00
+								        auth = self.header_prefix + self.key
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        response = self.csrf_client.post(
 								            self.path, {'example': 'example'},
 								            format='json', HTTP_AUTHORIZATION=auth
 								        )
-												Replaced status numbers with the statuses constants from the status model.

											
										
										
											2013-02-25 17:59:40 +04:00
+								        self.assertEqual(response.status_code, status.HTTP_200_OK)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
-												Prefetching the user object when getting the token in TokenAuthentication.

Since the user object is fetched 4 lines after getting Token from the database, this removes a DB query for each token-authenticated request.

											
										
										
											2015-02-04 17:08:41 +03:00
+								    def test_post_json_makes_one_db_query(self):
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        """
 								        Ensure that authenticating a user using a
 								        token performs only one DB query
 								        """
-												TokenAuthentication: Allow custom keyword in the header (#4097)

This allows subclassing TokenAuthentication and setting custom keyword,
thus allowing the Authorization header to be for example:

    Bearer 956e252a-513c-48c5-92dd-bfddc364e812

It doesn't change the behavior of TokenAuthentication itself,
it simply allows to reuse the logic of TokenAuthentication without
the need of copy pasting the class and changing one hardcoded string.

Related: #4080

											
										
										
											2016-05-04 12:53:34 +03:00
+								        auth = self.header_prefix + self.key
-												Fixes for latest version of pep8

											
										
										
											2015-02-09 20:43:20 +03:00
 								        def func_to_test():
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								            return self.csrf_client.post(
 								                self.path, {'example': 'example'},
 								                format='json', HTTP_AUTHORIZATION=auth
 								            )
-												Fixes for latest version of pep8

											
										
										
											2015-02-09 20:43:20 +03:00
-												Prefetching the user object when getting the token in TokenAuthentication.

Since the user object is fetched 4 lines after getting Token from the database, this removes a DB query for each token-authenticated request.

											
										
										
											2015-02-04 17:08:41 +03:00
+								        self.assertNumQueries(1, func_to_test)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								    def test_post_form_failing_token_auth(self):
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        """
 								        Ensure POSTing form over token auth without correct credentials fails
 								        """
-												test custom token model

											
										
										
											2016-01-05 18:58:16 +03:00
+								        response = self.csrf_client.post(self.path, {'example': 'example'})
-												Replaced status numbers with the statuses constants from the status model.

											
										
										
											2013-02-25 17:59:40 +04:00
+								        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
 								    def test_post_json_failing_token_auth(self):
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        """
 								        Ensure POSTing json over token auth without correct credentials fails
 								        """
 								        response = self.csrf_client.post(
 								            self.path, {'example': 'example'}, format='json'
 								        )
-												Replaced status numbers with the statuses constants from the status model.

											
										
										
											2013-02-25 17:59:40 +04:00
+								        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
-												test custom token model

											
										
										
											2016-01-05 18:58:16 +03:00
-												Django 1.10 support. (#4158)

* Added TEMPLATES setting to tests
* Remove deprecated view-string in URL conf
* Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...')
* Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style
* Get model managers and names in a version-compatible manner.
* Apply override_settings to a TestCase, not a mixin class
* Use '.callback' property instead of private attributes when inspecting urlpatterns
* Pass 'user' to template explicitly
* Correct sorting of import statements.
* Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES.
* Remove code style issue
* BaseFilter test requires a concrete model
* Resolve tox.ini issues
* Resolve isort differences between local and tox environments

											
										
										
											2016-06-01 17:31:00 +03:00
+								@override_settings(ROOT_URLCONF='tests.test_authentication')
-												test custom token model

											
										
										
											2016-01-05 18:58:16 +03:00
+								class TokenAuthTests(BaseTokenAuthTests, TestCase):
 								    model = Token
 								    path = '/token/'
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								    def test_token_has_auto_assigned_key_if_none_provided(self):
 								        """Ensure creating a token with no key will auto-assign a key"""
-												Tweak authtoken

											
										
										
											2012-10-09 12:57:31 +04:00
+								        self.token.delete()
-												test custom token model

											
										
										
											2016-01-05 18:58:16 +03:00
+								        token = self.model.objects.create(user=self.user)
-												Change package name: djangorestframework -> rest_framework

											
										
										
											2012-09-20 16:06:27 +04:00
+								        self.assertTrue(bool(token.key))
-												Added authtoken login/logout urlpatterns and views

											
										
										
											2012-11-11 04:17:50 +04:00
-												Ensure Token.generate_key returns a string.

											
										
										
											2014-04-28 15:35:55 +04:00
+								    def test_generate_key_returns_string(self):
 								        """Ensure generate_key returns a string"""
-												test custom token model

											
										
										
											2016-01-05 18:58:16 +03:00
+								        token = self.model()
-												Ensure Token.generate_key returns a string.

											
										
										
											2014-04-28 15:35:55 +04:00
+								        key = token.generate_key()
-												Better Python < 3 compatibility.

											
										
										
											2014-04-28 16:13:51 +04:00
+								        self.assertTrue(isinstance(key, six.string_types))
-												Ensure Token.generate_key returns a string.

											
										
										
											2014-04-28 15:35:55 +04:00
-												Added authtoken login/logout urlpatterns and views

											
										
										
											2012-11-11 04:17:50 +04:00
+								    def test_token_login_json(self):
 								        """Ensure token login view using JSON POST works."""
-												Added APIClient

											
										
										
											2013-06-28 20:50:30 +04:00
+								        client = APIClient(enforce_csrf_checks=True)
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        response = client.post(
 								            '/auth-token/',
 								            {'username': self.username, 'password': self.password},
 								            format='json'
 								        )
-												Replaced status numbers with the statuses constants from the status model.

											
										
										
											2013-02-25 17:59:40 +04:00
+								        self.assertEqual(response.status_code, status.HTTP_200_OK)
-												Added APIClient

											
										
										
											2013-06-28 20:50:30 +04:00
+								        self.assertEqual(response.data['token'], self.key)
-												Added authtoken login/logout urlpatterns and views

											
										
										
											2012-11-11 04:17:50 +04:00
 								    def test_token_login_json_bad_creds(self):
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        """
 								        Ensure token login view using JSON POST fails if
 								        bad credentials are used
 								        """
-												Added APIClient

											
										
										
											2013-06-28 20:50:30 +04:00
+								        client = APIClient(enforce_csrf_checks=True)
-												Style fix of tests  (#4154)

Clean up code style.
											
										
										
											2016-06-01 12:40:54 +03:00
+								        response = client.post(
 								            '/auth-token/',
 								            {'username': self.username, 'password': "badpass"},
 								            format='json'
 								        )
-												Reverted #458

When incorrect parameters are supplied to the obtain auth token view
400 *is* the correct response.

											
										
										
											2012-12-08 02:25:16 +04:00
+								        self.assertEqual(response.status_code, 400)
-												Added authtoken login/logout urlpatterns and views

											
										
										
											2012-11-11 04:17:50 +04:00
 								    def test_token_login_json_missing_fields(self):
 								        """Ensure token login view using JSON POST fails if missing fields."""
-												Added APIClient

											
										
										
											2013-06-28 20:50:30 +04:00
+								        client = APIClient(enforce_csrf_checks=True)
-												Reverted #458

When incorrect parameters are supplied to the obtain auth token view
400 *is* the correct response.

											
										
										
											2012-12-08 02:25:16 +04:00
+								        response = client.post('/auth-token/',
-												Added APIClient

											
										
										
											2013-06-28 20:50:30 +04:00
+								                               {'username': self.username}, format='json')
-												Reverted #458

When incorrect parameters are supplied to the obtain auth token view
400 *is* the correct response.

											
										
										
											2012-12-08 02:25:16 +04:00
+								        self.assertEqual(response.status_code, 400)
-												Added authtoken login/logout urlpatterns and views

											
										
										
											2012-11-11 04:17:50 +04:00
 								    def test_token_login_form(self):
 								        """Ensure token login view using form POST works."""
-												Added APIClient

											
										
										
											2013-06-28 20:50:30 +04:00
+								        client = APIClient(enforce_csrf_checks=True)
-												Reverted #458

When incorrect parameters are supplied to the obtain auth token view
400 *is* the correct response.

											
										
										
											2012-12-08 02:25:16 +04:00
+								        response = client.post('/auth-token/',
-												Updates to login view for TokenAuthentication from feedback from Tom

											
										
										
											2012-11-13 03:16:53 +04:00
+								                               {'username': self.username, 'password': self.password})
-												Replaced status numbers with the statuses constants from the status model.

											
										
										
											2013-02-25 17:59:40 +04:00
+								        self.assertEqual(response.status_code, status.HTTP_200_OK)
-												Added APIClient

											
										
										
											2013-06-28 20:50:30 +04:00
+								        self.assertEqual(response.data['token'], self.key)
-												Auth is no longer lazy.  Closes #667.

More consistent auth failure behavior.

											
										
										
											2013-02-28 21:58:58 +04:00
-												Django 1.10 support. (#4158)

* Added TEMPLATES setting to tests
* Remove deprecated view-string in URL conf
* Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...')
* Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style
* Get model managers and names in a version-compatible manner.
* Apply override_settings to a TestCase, not a mixin class
* Use '.callback' property instead of private attributes when inspecting urlpatterns
* Pass 'user' to template explicitly
* Correct sorting of import statements.
* Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES.
* Remove code style issue
* BaseFilter test requires a concrete model
* Resolve tox.ini issues
* Resolve isort differences between local and tox environments

											
										
										
											2016-06-01 17:31:00 +03:00
+								@override_settings(ROOT_URLCONF='tests.test_authentication')
-												test custom token model

											
										
										
											2016-01-05 18:58:16 +03:00
+								class CustomTokenAuthTests(BaseTokenAuthTests, TestCase):
 								    model = CustomToken
 								    path = '/customtoken/'
-												Django 1.10 support. (#4158)

* Added TEMPLATES setting to tests
* Remove deprecated view-string in URL conf
* Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...')
* Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style
* Get model managers and names in a version-compatible manner.
* Apply override_settings to a TestCase, not a mixin class
* Use '.callback' property instead of private attributes when inspecting urlpatterns
* Pass 'user' to template explicitly
* Correct sorting of import statements.
* Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES.
* Remove code style issue
* BaseFilter test requires a concrete model
* Resolve tox.ini issues
* Resolve isort differences between local and tox environments

											
										
										
											2016-06-01 17:31:00 +03:00
+								@override_settings(ROOT_URLCONF='tests.test_authentication')
-												TokenAuthentication: Allow custom keyword in the header (#4097)

This allows subclassing TokenAuthentication and setting custom keyword,
thus allowing the Authorization header to be for example:

    Bearer 956e252a-513c-48c5-92dd-bfddc364e812

It doesn't change the behavior of TokenAuthentication itself,
it simply allows to reuse the logic of TokenAuthentication without
the need of copy pasting the class and changing one hardcoded string.

Related: #4080

											
										
										
											2016-05-04 12:53:34 +03:00
+								class CustomKeywordTokenAuthTests(BaseTokenAuthTests, TestCase):
 								    model = Token
 								    path = '/customkeywordtoken/'
 								    header_prefix = 'Bearer '
-												Auth is no longer lazy.  Closes #667.

More consistent auth failure behavior.

											
										
										
											2013-02-28 21:58:58 +04:00
+								class IncorrectCredentialsTests(TestCase):
 								    def test_incorrect_credentials(self):
 								        """
 								        If a request contains bad authentication credentials, then
 								        authentication should run and error, even if no permissions
 								        are set on the view.
 								        """
 								        class IncorrectCredentialsAuth(BaseAuthentication):
 								            def authenticate(self, request):
 								                raise exceptions.AuthenticationFailed('Bad credentials')
 								        request = factory.get('/')
 								        view = MockView.as_view(
 								            authentication_classes=(IncorrectCredentialsAuth,),
 								            permission_classes=()
 								        )
 								        response = view(request)
 								        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 								        self.assertEqual(response.data, {'detail': 'Bad credentials'})
-												Merge & clean OAuth support

											
										
										
											2013-03-07 13:01:53 +04:00
-												request.user should be still be accessible in renderer context if authentication fails

											
										
										
											2013-06-03 15:32:57 +04:00
+								class FailingAuthAccessedInRenderer(TestCase):
 								    def setUp(self):
 								        class AuthAccessingRenderer(renderers.BaseRenderer):
 								            media_type = 'text/plain'
 								            format = 'txt'
 								            def render(self, data, media_type=None, renderer_context=None):
 								                request = renderer_context['request']
-												Version 3.5 (#4525)

* Start test case

* Added 'requests' test client

* Address typos

* Graceful fallback if requests is not installed.

* Add cookie support

* Tests for auth and CSRF

* Py3 compat

* py3 compat

* py3 compat

* Add get_requests_client

* Added SchemaGenerator.should_include_link

* add settings for html cutoff on related fields

* Router doesn't work if prefix is blank, though project urls.py handles prefix

* Fix Django 1.10 to-many deprecation

* Add django.core.urlresolvers compatibility

* Update django-filter & django-guardian

* Check for empty router prefix; adjust URL accordingly

It's easiest to fix this issue after we have made the regex.  To try
to fix it before would require doing something different for List vs
Detail, which means we'd have to know which type of url we're
constructing before acting accordingly.

* Fix misc django deprecations

* Use TOC extension instead of header

* Fix deprecations for py3k

* Add py3k compatibility to is_simple_callable

* Add is_simple_callable tests

* Drop python 3.2 support (EOL, Dropped by Django)

* schema_renderers= should *set* the renderers, not append to them.

* API client (#4424)

* Fix release notes

* Add note about 'User account is disabled.' vs 'Unable to log in'

* Clean up schema generation (#4527)

* Handle multiple methods on custom action (#4529)

* RequestsClient, CoreAPIClient

* exclude_from_schema

* Added 'get_schema_view()' shortcut

* Added schema descriptions

* Better descriptions for schemas

* Add type annotation to schema generation

* Coerce schema 'pk' in path to actual field name

* Deprecations move into assertion errors

* Use get_schema_view in tests

* Updte CoreJSON media type

* Handle schema structure correctly when path prefixs exist. Closes #4401

* Add PendingDeprecation to Router schema generation.

* Added SCHEMA_COERCE_PATH_PK and SCHEMA_COERCE_METHOD_NAMES

* Renamed and documented 'get_schema_fields' interface.

											
										
										
											2016-10-10 15:03:46 +03:00
+								                if is_authenticated(request.user):
-												request.user should be still be accessible in renderer context if authentication fails

											
										
										
											2013-06-03 15:32:57 +04:00
+								                    return b'authenticated'
 								                return b'not authenticated'
 								        class FailingAuth(BaseAuthentication):
 								            def authenticate(self, request):
 								                raise exceptions.AuthenticationFailed('authentication failed')
 								        class ExampleView(APIView):
 								            authentication_classes = (FailingAuth,)
 								            renderer_classes = (AuthAccessingRenderer,)
 								            def get(self, request):
 								                return Response({'foo': 'bar'})
 								        self.view = ExampleView.as_view()
 								    def test_failing_auth_accessed_in_renderer(self):
 								        """
 								        When authentication fails the renderer should still be able to access
 								        `request.user` without raising an exception. Particularly relevant
 								        to HTML responses that might reasonably access `request.user`.
 								        """
 								        request = factory.get('/')
 								        response = self.view(request)
 								        content = response.render().content
 								        self.assertEqual(content, b'not authenticated')
-												No auth view failing permission should raise 403

A view with no `authentication_classes` set and that fails a

permission check should raise a 403 with the message from the

failing permission.
											
										
										
											2016-04-07 18:24:26 +03:00
 								class NoAuthenticationClassesTests(TestCase):
 								    def test_permission_message_with_no_authentication_classes(self):
 								        """
-												Fixed various typos (#4366)


											
										
										
											2016-08-08 11:32:22 +03:00
+								        An unauthenticated request made against a view that contains no
-												No auth view failing permission should raise 403

A view with no `authentication_classes` set and that fails a

permission check should raise a 403 with the message from the

failing permission.
											
										
										
											2016-04-07 18:24:26 +03:00
+								        `authentication_classes` but do contain `permissions_classes` the error
 								        code returned should be 403 with the exception's message.
 								        """
 								        class DummyPermission(permissions.BasePermission):
 								            message = 'Dummy permission message'
 								            def has_permission(self, request, view):
 								                return False
 								        request = factory.get('/')
 								        view = MockView.as_view(
 								            authentication_classes=(),
 								            permission_classes=(DummyPermission,),
 								        )
 								        response = view(request)
 								        self.assertEqual(response.status_code,
 								                         status.HTTP_403_FORBIDDEN)
 								        self.assertEqual(response.data, {'detail': 'Dummy permission message'})