91a2277664
Magic-link tokens were persisted in plaintext, so a database read disclosed usable login/invite tokens. The service now hashes tokens (HMAC-SHA256 when a pepper is configured, else SHA-256 of the high-entropy token) and persists only the hash; the raw token is exposed solely in the registration URL and is re-attached to objects returned to callers. Refs: porchlight-42h Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
80 lines
3.2 KiB
Python
80 lines
3.2 KiB
Python
from httpx import AsyncClient
|
|
|
|
from porchlight.invite.service import MagicLinkService
|
|
from porchlight.models import User
|
|
|
|
|
|
async def test_register_invalid_token_returns_error_page(client: AsyncClient) -> None:
|
|
res = await client.get("/register/nope", follow_redirects=False)
|
|
assert res.status_code == 400
|
|
assert "Invalid or expired" in res.text
|
|
|
|
|
|
async def test_register_expired_token_returns_error_page(client: AsyncClient) -> None:
|
|
app = client._transport.app # type: ignore[union-attr]
|
|
# An already-expired link (negative TTL), stored hashed like the real service.
|
|
expired_service = MagicLinkService(repo=app.state.magic_link_repo, ttl=-3600)
|
|
link = await expired_service.create(username="newuser")
|
|
|
|
res = await client.get(f"/register/{link.token}", follow_redirects=False)
|
|
assert res.status_code == 400
|
|
assert "Invalid or expired" in res.text
|
|
|
|
|
|
async def test_register_valid_token_creates_user_and_redirects(client: AsyncClient) -> None:
|
|
app = client._transport.app # type: ignore[union-attr]
|
|
magic_link_service = app.state.magic_link_service
|
|
user_repo = app.state.user_repo
|
|
|
|
link = await magic_link_service.create(username="newuser")
|
|
|
|
res = await client.get(f"/register/{link.token}", follow_redirects=False)
|
|
assert res.status_code in (302, 303)
|
|
assert "/manage/credentials" in res.headers["location"]
|
|
assert "setup=1" in res.headers["location"]
|
|
|
|
# Token should be consumed (no longer valid)
|
|
assert await magic_link_service.validate(link.token) is None
|
|
|
|
# User should exist
|
|
user = await user_repo.get_by_username("newuser")
|
|
assert user is not None
|
|
assert "users" in user.groups
|
|
|
|
|
|
async def test_register_used_token_returns_error(client: AsyncClient) -> None:
|
|
app = client._transport.app # type: ignore[union-attr]
|
|
magic_link_service = app.state.magic_link_service
|
|
link = await magic_link_service.create(username="newuser")
|
|
await magic_link_service.mark_used(link.token)
|
|
|
|
res = await client.get(f"/register/{link.token}", follow_redirects=False)
|
|
assert res.status_code == 400
|
|
|
|
|
|
async def test_register_existing_user_logs_in_and_redirects(client: AsyncClient) -> None:
|
|
"""When initial-admin creates a user (no credentials yet), the invite link
|
|
should let them set up their account."""
|
|
app = client._transport.app # type: ignore[union-attr]
|
|
magic_link_service = app.state.magic_link_service
|
|
user_repo = app.state.user_repo
|
|
|
|
# Pre-create the user (as initial-admin would), with no credentials.
|
|
user = User(userid="lusab-bansen", username="admin", groups=["admin", "users"])
|
|
await user_repo.create(user)
|
|
|
|
link = await magic_link_service.create(username="admin")
|
|
|
|
res = await client.get(f"/register/{link.token}", follow_redirects=False)
|
|
assert res.status_code in (302, 303)
|
|
assert "/manage/credentials" in res.headers["location"]
|
|
assert "setup=1" in res.headers["location"]
|
|
|
|
# Token should be consumed
|
|
assert await magic_link_service.validate(link.token) is None
|
|
|
|
# Original user should still exist with original groups
|
|
existing = await user_repo.get_by_username("admin")
|
|
assert existing is not None
|
|
assert existing.userid == "lusab-bansen"
|
|
assert "admin" in existing.groups
|