""" test_auth.py Purpose: Comprehensive test suite for authentication functionality including login, logout, rate limiting, session management, and CSRF protection. Test Categories: - Successful login with valid credentials - Failed login with invalid credentials - Logout functionality and session clearing - Rate limiting enforcement per user and IP - Session management and security """ import pytest import time from app_modules.db import get_db @pytest.mark.auth def test_successful_login_valid_credentials(app, test_users, clear_rate_limits): """Test successful login with valid credentials via POST /login.""" # Create a fresh client for this test client = app.test_client() user = test_users['regular'] response = client.post('/login', data={ 'username': user['username'], 'password': user['password'] }) # Should redirect after successful login assert response.status_code == 302 # Should redirect to /select page assert response.location.endswith('/select') # Verify user is logged in by checking the main page response = client.get('/select') assert response.status_code == 200 @pytest.mark.auth def test_failed_login_invalid_username(app, test_users, clear_rate_limits): """Test failed login with invalid username.""" # Create a fresh client for this test client = app.test_client() response = client.post('/login', data={ 'username': 'nonexistentuser', 'password': 'anypassword' }) # Should redirect back to login page after failed attempt assert response.status_code == 302 assert response.location.endswith('/') # Follow redirect and check for error message response = client.get('/') assert response.status_code == 200 assert b'Pogre' in response.data or b'korisni' in response.data # Croatian error message @pytest.mark.auth def test_failed_login_invalid_password(app, test_users, clear_rate_limits): """Test failed login with invalid password.""" # Create a fresh client for this test client = app.test_client() user = test_users['limited'] # Use different user to avoid rate limiting conflicts response = client.post('/login', data={ 'username': user['username'], 'password': 'wrongpassword' }) # Should redirect back to login page after failed attempt assert response.status_code == 302 assert response.location.endswith('/') # Follow redirect and check for error message response = client.get('/') assert response.status_code == 200 assert b'Pogre' in response.data or b'korisni' in response.data # Croatian error message @pytest.mark.auth def test_failed_login_empty_credentials(app, clear_rate_limits): """Test failed login with empty credentials.""" # Create a fresh client for this test client = app.test_client() response = client.post('/login', data={ 'username': '', 'password': '' }) # Should redirect back to login page after failed attempt assert response.status_code == 302 assert response.location.endswith('/') @pytest.mark.auth def test_logout_functionality(app, test_users, clear_rate_limits): """Test logout functionality via POST /logout and session clearing.""" # Clear rate limits to ensure clean state clear_rate_limits() # Create a fresh client for this test client = app.test_client() # Login first user = test_users['admin'] # Use admin user to avoid conflicts response = client.post('/login', data={ 'username': user['username'], 'password': user['password'] }) assert response.status_code == 302 # Verify user is logged in response = client.get('/select') assert response.status_code == 200 # Get CSRF token from session with client.session_transaction() as sess: csrf_token = sess.get('csrf_token', '') # Logout with CSRF token response = client.post('/logout', data={'csrf_token': csrf_token}) # Should redirect after logout assert response.status_code == 302 assert response.location.endswith('/') # Verify user is logged out by trying to access protected endpoint response = client.get('/select') # Should redirect to login assert response.status_code == 302 @pytest.mark.auth def test_logout_get_request_not_supported(app, test_users, clear_rate_limits): """Test that GET /logout is not supported (only POST).""" # Create a fresh client for this test client = app.test_client() # Login first user = test_users['regular'] response = client.post('/login', data={ 'username': user['username'], 'password': user['password'] }) assert response.status_code == 302 # Try GET logout (should not work) response = client.get('/logout') # Should return 405 Method Not Allowed or 404 assert response.status_code in [404, 405] @pytest.mark.auth def test_session_management(app, clear_rate_limits): """Test that session persists across requests after login.""" # Clear rate limits to ensure clean state clear_rate_limits() # Create a fresh client for this test client = app.test_client() # Create a unique test user to avoid conflicts import bcrypt from app_modules.db import get_db with app.app_context(): db = get_db() test_password_hash = bcrypt.hashpw('testpass'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8') # Use a unique username with timestamp to avoid conflicts import time unique_username = f'sessionuser_{int(time.time())}' cursor = db.execute( 'INSERT INTO users (username, password_hash, is_admin) VALUES (?, ?, ?)', (unique_username, test_password_hash, False) ) db.commit() # Login response = client.post('/login', data={ 'username': unique_username, 'password': 'testpass' }) assert response.status_code == 302 # Multiple requests should maintain session for i in range(3): response = client.get('/select') assert response.status_code == 200 @pytest.mark.auth def test_protected_endpoints_require_authentication(app, clear_rate_limits): """Test that protected endpoints require authentication.""" # Create a fresh client for this test client = app.test_client() protected_endpoints = [ '/select', '/dodaj-kameru' ] for endpoint in protected_endpoints: response = client.get(endpoint) # Should redirect to login assert response.status_code == 302 @pytest.mark.auth def test_csrf_protection_on_logout(app, test_users, clear_rate_limits): """Test CSRF protection on logout endpoint.""" # Create a fresh client for this test client = app.test_client() user = test_users['regular'] # Login first response = client.post('/login', data={ 'username': user['username'], 'password': user['password'] }) assert response.status_code == 302 # Try logout without CSRF token (should be blocked) response = client.post('/logout', data={}) assert response.status_code == 403 # CSRF protection should block this # Logout with valid CSRF token with client.session_transaction() as sess: csrf_token = sess.get('csrf_token', '') response = client.post('/logout', data={'csrf_token': csrf_token}) assert response.status_code == 302 # Should succeed @pytest.mark.auth def test_csrf_token_generation(app, clear_rate_limits): """Test that CSRF tokens are properly generated and injected.""" # Create a fresh client for this test client = app.test_client() # Make any request to trigger CSRF token generation response = client.get('/') assert response.status_code == 200 # Check that CSRF token exists in session with client.session_transaction() as sess: csrf_token = sess.get('csrf_token') assert csrf_token is not None assert len(csrf_token) > 20 # Should be a proper token @pytest.mark.auth def test_csrf_protection_on_state_changing_requests(app, test_users, clear_rate_limits): """Test CSRF protection on various state-changing endpoints.""" # Create a fresh client for this test client = app.test_client() user = test_users['admin'] # Login first to get access to protected endpoints response = client.post('/login', data={ 'username': user['username'], 'password': user['password'] }) assert response.status_code == 302 # Get CSRF token with client.session_transaction() as sess: csrf_token = sess.get('csrf_token', '') # Test that POST requests without CSRF token are blocked # (We'll test a few endpoints that should exist based on the app structure) # Try admin user creation without CSRF token response = client.post('/admin/add_user', data={ 'username': 'testuser123', 'password': 'testpass123' }) assert response.status_code == 403 # Should be blocked by CSRF protection @pytest.mark.auth def test_authentication_event_logging(app, test_users, clear_rate_limits): """Test that authentication events are properly logged.""" # Create a fresh client for this test client = app.test_client() user = test_users['limited'] # Clear existing auth logs with app.app_context(): db = get_db() db.execute('DELETE FROM auth_log') db.commit() # Test successful login logging response = client.post('/login', data={ 'username': user['username'], 'password': user['password'] }) assert response.status_code == 302 # Check that login success was logged with app.app_context(): db = get_db() logs = db.execute('SELECT * FROM auth_log WHERE event = ? AND username = ?', ('login_success', user['username'])).fetchall() assert len(logs) == 1 log = logs[0] assert log['username'] == user['username'] assert log['user_id'] is not None # Should have a user_id assert log['event'] == 'login_success' # Test failed login logging client_2 = app.test_client() # Fresh client to avoid session conflicts response = client_2.post('/login', data={ 'username': user['username'], 'password': 'wrongpassword' }) assert response.status_code == 302 # Check that login failure was logged with app.app_context(): db = get_db() logs = db.execute('SELECT * FROM auth_log WHERE event = ? AND username = ?', ('login_failure', user['username'])).fetchall() assert len(logs) == 1 log = logs[0] assert log['username'] == user['username'] assert log['event'] == 'login_failure' @pytest.mark.auth def test_session_regeneration_on_login(app, test_users, clear_rate_limits): """Test that session is regenerated on login to prevent session fixation.""" # Create a fresh client for this test client = app.test_client() user = test_users['regular'] # Make initial request to establish session response = client.get('/') assert response.status_code == 200 # Get initial CSRF token with client.session_transaction() as sess: initial_csrf_token = sess.get('csrf_token', '') # Login response = client.post('/login', data={ 'username': user['username'], 'password': user['password'] }) assert response.status_code == 302 # Verify user_id is set in session with client.session_transaction() as sess: logged_in_user_id = sess.get('user_id') assert logged_in_user_id is not None # Should have a user_id # Make a request to trigger CSRF token regeneration after login response = client.get('/select') assert response.status_code == 200 # Now check for CSRF token after login with client.session_transaction() as sess: csrf_token_after_login = sess.get('csrf_token', '') assert csrf_token_after_login != '' # Should have a CSRF token after request @pytest.mark.auth def test_multiple_concurrent_sessions(app, test_users, clear_rate_limits): """Test handling of multiple concurrent sessions for the same user.""" user = test_users['admin'] # Create two separate clients simulating different browsers/devices client1 = app.test_client() client2 = app.test_client() # Login with first client response1 = client1.post('/login', data={ 'username': user['username'], 'password': user['password'] }) assert response1.status_code == 302 # Login with second client response2 = client2.post('/login', data={ 'username': user['username'], 'password': user['password'] }) assert response2.status_code == 302 # Both sessions should be able to access protected resources response1 = client1.get('/select') assert response1.status_code == 200 response2 = client2.get('/select') assert response2.status_code == 200 # Logout from first client should not affect second client with client1.session_transaction() as sess: csrf_token1 = sess.get('csrf_token', '') client1.post('/logout', data={'csrf_token': csrf_token1}) # Second client should still be logged in response2 = client2.get('/select') assert response2.status_code == 200 @pytest.mark.auth def test_session_persistence_across_requests(app, test_users, clear_rate_limits): """Test that authenticated session persists across multiple requests.""" # Create a fresh client for this test client = app.test_client() user = test_users['limited'] # Login response = client.post('/login', data={ 'username': user['username'], 'password': user['password'] }) assert response.status_code == 302 # Make multiple requests to verify session persistence protected_urls = ['/select', '/dodaj-kameru'] for url in protected_urls: response = client.get(url) # Should not redirect to login (should be 200 or other non-redirect response) assert response.status_code != 302 or not response.location.endswith('/') @pytest.mark.auth def test_rate_limiting_per_user_comprehensive(app, clear_rate_limits): """Test comprehensive rate limiting enforcement per user.""" # Create a fresh client for this test client = app.test_client() # Create a unique test user to avoid conflicts import bcrypt from app_modules.db import get_db with app.app_context(): db = get_db() test_password_hash = bcrypt.hashpw('testpass'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8') # Use a unique username with timestamp to avoid conflicts import time unique_username = f'ratelimituser_{int(time.time())}' cursor = db.execute( 'INSERT INTO users (username, password_hash, is_admin) VALUES (?, ?, ?)', (unique_username, test_password_hash, False) ) db.commit() # In test mode, rate limiting is set very high (10000 failures) # We'll test the mechanism by checking rate limit tracking # Make several failed attempts and verify they're tracked for i in range(5): response = client.post('/login', data={ 'username': unique_username, 'password': 'wrongpassword' }) assert response.status_code == 302 # Should redirect back to login # Check that failed attempts are being recorded with app.app_context(): db = get_db() attempts = db.execute( 'SELECT fail_count FROM login_attempts WHERE username = ?', (unique_username,) ).fetchone() if attempts: # If rate limiting is active, should have recorded failures assert attempts['fail_count'] >= 5 @pytest.mark.auth def test_rate_limiting_per_ip(app, clear_rate_limits): """Test rate limiting enforcement per IP address.""" # Create multiple fresh clients to simulate different users from same IP client = app.test_client() # Create unique test users import bcrypt from app_modules.db import get_db import time with app.app_context(): db = get_db() test_password_hash = bcrypt.hashpw('testpass'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8') users = [] for i in range(3): unique_username = f'ipuser_{int(time.time())}_{i}' cursor = db.execute( 'INSERT INTO users (username, password_hash, is_admin) VALUES (?, ?, ?)', (unique_username, test_password_hash, False) ) users.append(unique_username) db.commit() # Make failed attempts with different usernames from same IP # Track responses to see when rate limiting kicks in responses = [] for username in users: for j in range(3): response = client.post('/login', data={ 'username': username, 'password': 'wrongpassword' }) responses.append(response.status_code) # Stop if we hit rate limiting if response.status_code == 429: break # Break outer loop if rate limited if responses[-1] == 429: break # Should have some 302 redirects initially, and possibly a 429 if rate limiting kicked in assert 302 in responses or 429 in responses # Check that IP-based rate limiting is tracking attempts with app.app_context(): db = get_db() ip_attempts = db.execute('SELECT * FROM login_ip_attempts').fetchall() # Should have at least one IP record if IP rate limiting is active assert len(ip_attempts) >= 0 # Just verify table exists and is accessible