From b94bad829c1fd4b4325a4af280d33d50f164e05f Mon Sep 17 00:00:00 2001 From: 0livd Date: Thu, 26 Oct 2017 19:46:34 +0200 Subject: Use token based auth to reset passwords (#269) Send a mail containing a password reset token link instead of sending a clear text password. Ref #232 --- ihatemoney/tests/tests.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'ihatemoney/tests/tests.py') diff --git a/ihatemoney/tests/tests.py b/ihatemoney/tests/tests.py index 6c0ccb9..f918746 100644 --- a/ihatemoney/tests/tests.py +++ b/ihatemoney/tests/tests.py @@ -169,6 +169,30 @@ class BudgetTestCase(IhatemoneyTestCase): self.assertIn("raclette", outbox[0].body) self.assertIn("raclette@notmyidea.org", outbox[0].recipients) + def test_password_reset(self): + # test that a password can be changed using a link sent by mail + + self.create_project("raclette") + # Get password resetting link from mail + with self.app.mail.record_messages() as outbox: + self.client.post("/password-reminder", data={"id": "raclette"}) + self.assertEqual(len(outbox), 1) + url_start = outbox[0].body.find('You can reset it here: ') + 23 + url_end = outbox[0].body.find('.\n', url_start) + url = outbox[0].body[url_start:url_end] + # Test that we got a valid token + resp = self.client.get(url) + self.assertIn("Password confirmation", resp.data.decode('utf-8')) + # Test that password can be changed + self.client.post(url, data={'password': 'pass', 'password_confirmation': 'pass'}) + resp = self.login('raclette', password='pass') + self.assertIn("Account manager - raclette", resp.data.decode('utf-8')) + # Test empty and null tokens + resp = self.client.get("/reset-password") + self.assertIn("No token provided", resp.data.decode('utf-8')) + resp = self.client.get("/reset-password?token=token") + self.assertIn("Invalid token", resp.data.decode('utf-8')) + def test_project_creation(self): with self.app.test_client() as c: -- cgit v1.1