From 293735eca715c7cc5221e551e5eb41f92b6abd0f Mon Sep 17 00:00:00 2001
From: 0livd <github@destras.fr>
Date: Mon, 23 Oct 2017 23:03:44 +0200
Subject: Make authentication logic simpler and safer (#270)

* Fixed exposed password in session

The project password was set in clear text
in the session cookie. The cookie payload is
only base64 encoded so it must not be used to
store private information. The password is
simply replaced by a boolean.

* Simplify authentication logic
---
 ihatemoney/tests/tests.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'ihatemoney/tests/tests.py')

diff --git a/ihatemoney/tests/tests.py b/ihatemoney/tests/tests.py
index 36ca6fc..6c0ccb9 100644
--- a/ihatemoney/tests/tests.py
+++ b/ihatemoney/tests/tests.py
@@ -181,7 +181,7 @@ class BudgetTestCase(IhatemoneyTestCase):
             })
 
             # session is updated
-            self.assertEqual(session['raclette'], 'party')
+            self.assertTrue(session['raclette'])
 
             # project is created
             self.assertEqual(len(models.Project.query.all()), 1)
@@ -373,7 +373,7 @@ class BudgetTestCase(IhatemoneyTestCase):
 
             self.assertNotIn("Authentication", resp.data.decode('utf-8'))
             self.assertIn('raclette', session)
-            self.assertEqual(session['raclette'], 'raclette')
+            self.assertTrue(session['raclette'])
 
             # logout should wipe the session out
             c.get("/exit")
-- 
cgit v1.1