baef5e0e2e
GET /register/{token} consumed the magic-link token and created a session, so
a side-effecting state change happened on a safe method — link prefetchers,
email scanners, or a cross-site GET could trigger account setup/login.
Split the flow: GET validates the token (without consuming) and renders a
confirmation form; POST /register/{token} consumes the token, runs the
existing checks, and establishes the session. The POST carries a CSRF token
and the session is reset on login as for other auth paths.
Refs: porchlight-9k0
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
71 lines
2.3 KiB
Python
71 lines
2.3 KiB
Python
from datetime import UTC, datetime
|
|
|
|
import pytest
|
|
from httpx import AsyncClient
|
|
|
|
from porchlight.authn.password import PasswordHasher, PasswordService
|
|
from porchlight.models import PasswordCredential, User
|
|
from tests.conftest import get_csrf_token
|
|
|
|
|
|
async def _create_inactive_user_with_password(client: AsyncClient) -> None:
|
|
"""Create an inactive user with a password credential."""
|
|
app = client._transport.app
|
|
user_repo = app.state.user_repo
|
|
cred_repo = app.state.credential_repo
|
|
|
|
user = User(
|
|
userid="inactive-01",
|
|
username="inactive",
|
|
active=False,
|
|
created_at=datetime.now(UTC),
|
|
updated_at=datetime.now(UTC),
|
|
)
|
|
await user_repo.create(user)
|
|
|
|
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
|
|
await cred_repo.create_password(
|
|
PasswordCredential(user_id=user.userid, password_hash=svc.hash("password123!Secure"))
|
|
)
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_inactive_user_cannot_login_password(client: AsyncClient) -> None:
|
|
await _create_inactive_user_with_password(client)
|
|
token = await get_csrf_token(client)
|
|
|
|
response = await client.post(
|
|
"/login/password",
|
|
data={"username": "inactive", "password": "password123!Secure"},
|
|
headers={"HX-Request": "true", "X-CSRF-Token": token},
|
|
)
|
|
|
|
assert "Invalid username or password" in response.text
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_inactive_user_cannot_register_magic_link(client: AsyncClient) -> None:
|
|
"""If an inactive user exists, magic link registration should reject them."""
|
|
app = client._transport.app
|
|
user_repo = app.state.user_repo
|
|
magic_link_service = app.state.magic_link_service
|
|
|
|
user = User(
|
|
userid="inactive-02",
|
|
username="deactivated",
|
|
active=False,
|
|
created_at=datetime.now(UTC),
|
|
updated_at=datetime.now(UTC),
|
|
)
|
|
await user_repo.create(user)
|
|
|
|
link = await magic_link_service.create(username="deactivated", created_by="admin", note="test")
|
|
|
|
csrf = await get_csrf_token(client)
|
|
response = await client.post(
|
|
f"/register/{link.token}",
|
|
headers={"X-CSRF-Token": csrf},
|
|
follow_redirects=False,
|
|
)
|
|
|
|
assert response.status_code == 400 or "deactivated" in response.text.lower() or "Invalid" in response.text
|