From 21dffce347abe0277cf570148977e34d38f1852b Mon Sep 17 00:00:00 2001 From: bkis Date: Wed, 27 Dec 2023 18:22:09 +0100 Subject: [PATCH] Activate XSRF protection during dev and tests --- Tekst-API/tekst/app.py | 29 ++++++------ Tekst-API/tests/conftest.py | 6 +++ Tekst-API/tests/test_api_admin.py | 8 ++-- Tekst-API/tests/test_api_auth.py | 7 +-- Tekst-API/tests/test_api_node.py | 58 +++++++++++++++-------- Tekst-API/tests/test_api_platform.py | 16 +++---- Tekst-API/tests/test_api_resource.py | 71 +++++++++++++++------------- Tekst-API/tests/test_api_text.py | 53 +++++++++++---------- Tekst-API/tests/test_api_unit.py | 38 ++++++++++----- 9 files changed, 163 insertions(+), 123 deletions(-) diff --git a/Tekst-API/tekst/app.py b/Tekst-API/tekst/app.py index dcc28f2a..826bdfa2 100644 --- a/Tekst-API/tekst/app.py +++ b/Tekst-API/tekst/app.py @@ -62,21 +62,20 @@ async def lifespan(app: FastAPI): separate_input_output_schemas=False, ) -# add and configure CSRF middleware -if not _cfg.dev_mode: - app.add_middleware( - CSRFMiddleware, - secret=_cfg.security_secret, - required_urls=[re.compile(r".*/auth/cookie/login.*")], - exempt_urls=[re.compile(r".*/auth/cookie/logout.*")], - sensitive_cookies={_cfg.security_auth_cookie_name}, - cookie_name="XSRF-TOKEN", - cookie_path="/", - cookie_domain=_cfg.security_auth_cookie_domain or None, - cookie_secure=not _cfg.dev_mode, - cookie_samesite="Lax", - header_name="X-XSRF-TOKEN", - ) +# add and configure XSRF/CSRF middleware +app.add_middleware( + CSRFMiddleware, + secret=_cfg.security_secret, + required_urls=[re.compile(r".*/auth/cookie/login.*")], + exempt_urls=[re.compile(r".*/auth/cookie/logout.*")], + sensitive_cookies={_cfg.security_auth_cookie_name}, + cookie_name="XSRF-TOKEN", + cookie_path="/", + cookie_domain=_cfg.security_auth_cookie_domain or None, + cookie_secure=not _cfg.dev_mode, + cookie_samesite="Lax", + header_name="X-XSRF-TOKEN", +) # add and configure CORS middleware app.add_middleware( diff --git a/Tekst-API/tests/conftest.py b/Tekst-API/tests/conftest.py index 79f59b22..ef35411c 100644 --- a/Tekst-API/tests/conftest.py +++ b/Tekst-API/tests/conftest.py @@ -100,6 +100,12 @@ async def test_client(test_app, config) -> AsyncClient: async with AsyncClient( app=test_app, base_url=f"{config.server_url}{config.api_path}" ) as client: + # prepare XSRF token + resp = await client.get("/") + xsrf_token = resp.cookies.get("XSRF-TOKEN") + client.headers.setdefault("X-XSRF-TOKEN", xsrf_token) # set XSRF token header + client.cookies.setdefault("XSRF-TOKEN", xsrf_token) # set XSRF token cookie + # yield client instance yield client diff --git a/Tekst-API/tests/test_api_admin.py b/Tekst-API/tests/test_api_admin.py index 3794c938..d1bd98c9 100644 --- a/Tekst-API/tests/test_api_admin.py +++ b/Tekst-API/tests/test_api_admin.py @@ -13,8 +13,8 @@ async def test_get_stats( ): await insert_sample_data("texts", "nodes", "resources", "units") user = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(user) - resp = await test_client.get("/admin/stats", cookies=session_cookie) + await get_session_cookie(user) + resp = await test_client.get("/admin/stats") assert resp.status_code == 200, status_fail_msg(200, resp) assert "usersCount" in resp.json() assert resp.json()["usersCount"] == 1 @@ -28,8 +28,8 @@ async def test_get_users( get_session_cookie, ): user = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(user) - resp = await test_client.get("/admin/users", cookies=session_cookie) + await get_session_cookie(user) + resp = await test_client.get("/admin/users") assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), list) assert len(resp.json()) == 1 diff --git a/Tekst-API/tests/test_api_auth.py b/Tekst-API/tests/test_api_auth.py index af0a7738..9044237c 100644 --- a/Tekst-API/tests/test_api_auth.py +++ b/Tekst-API/tests/test_api_auth.py @@ -135,11 +135,10 @@ async def test_user_updates_self( status_fail_msg, ): user_data = await register_test_user() - session_cookie = await get_session_cookie(user_data) + await get_session_cookie(user_data) # get user data from /users/me resp = await test_client.get( "/users/me", - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert "id" in resp.json() @@ -149,7 +148,6 @@ async def test_user_updates_self( resp = await test_client.patch( "/users/me", json=updates, - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert resp.json()["id"] == user_id @@ -165,11 +163,10 @@ async def test_user_deletes_self( status_fail_msg, ): user_data = await register_test_user() - session_cookie = await get_session_cookie(user_data) + await get_session_cookie(user_data) # delete self resp = await test_client.delete( "/users/me", - cookies=session_cookie, ) assert resp.status_code == 204, status_fail_msg(204, resp) diff --git a/Tekst-API/tests/test_api_node.py b/Tekst-API/tests/test_api_node.py index 816e7da1..ae754fb2 100644 --- a/Tekst-API/tests/test_api_node.py +++ b/Tekst-API/tests/test_api_node.py @@ -19,10 +19,13 @@ async def test_create_node( # create superuser superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) for node in nodes: - resp = await test_client.post("/nodes", json=node, cookies=session_cookie) + resp = await test_client.post( + "/nodes", + json=node, + ) assert resp.status_code == 201, status_fail_msg(201, resp) @@ -40,10 +43,13 @@ async def test_child_node_io( # create superuser superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) # create parent - resp = await test_client.post("/nodes", json=node, cookies=session_cookie) + resp = await test_client.post( + "/nodes", + json=node, + ) assert resp.status_code == 201, status_fail_msg(201, resp) parent = resp.json() assert parent["id"] @@ -53,7 +59,10 @@ async def test_child_node_io( child["parentId"] = parent["id"] child["level"] = parent["level"] + 1 child["position"] = 0 - resp = await test_client.post("/nodes", json=child, cookies=session_cookie) + resp = await test_client.post( + "/nodes", + json=child, + ) assert resp.status_code == 201, status_fail_msg(201, resp) child = resp.json() assert "id" in resp.json() @@ -73,7 +82,6 @@ async def test_child_node_io( resp = await test_client.get( "/nodes/children", params={"parentId": child["parentId"]}, - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), list) @@ -82,7 +90,8 @@ async def test_child_node_io( # find children by text ID and null parent ID using dedicated children endpoint resp = await test_client.get( - "/nodes/children", params={"textId": text_id}, cookies=session_cookie + "/nodes/children", + params={"textId": text_id}, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), list) @@ -105,9 +114,12 @@ async def test_create_node_invalid_text_fail( # create superuser superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) - resp = await test_client.post("/nodes", json=node, cookies=session_cookie) + resp = await test_client.post( + "/nodes", + json=node, + ) assert resp.status_code == 400, status_fail_msg(400, resp) @@ -186,11 +198,12 @@ async def test_update_node( node = resp.json()[0] # create superuser superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) # update node node_update = {"label": "A fresh label"} resp = await test_client.patch( - f"/nodes/{node['id']}", json=node_update, cookies=session_cookie + f"/nodes/{node['id']}", + json=node_update, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert "id" in resp.json() @@ -199,13 +212,17 @@ async def test_update_node( assert resp.json()["label"] == "A fresh label" # update unchanged node resp = await test_client.patch( - f"/nodes/{node['id']}", json=node_update, cookies=session_cookie + f"/nodes/{node['id']}", + json=node_update, ) assert resp.status_code == 200, status_fail_msg(200, resp) # update invalid node node_update = {"label": "Brand new label"} resp = await test_client.patch("/nodes/637b9ad396d541a505e5439b", json=node_update) - assert resp.status_code == 400, status_fail_msg(400, resp, cookies=session_cookie) + assert resp.status_code == 400, status_fail_msg( + 400, + resp, + ) @pytest.mark.anyio @@ -229,7 +246,7 @@ async def test_delete_node( # create superuser superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) # get existing resource resp = await test_client.get("/resources", params={"textId": text_id}) @@ -246,7 +263,10 @@ async def test_delete_node( "text": "Ein Raabe geht im Feld spazieren.", "comment": "This is a comment", } - resp = await test_client.post("/units", json=payload, cookies=session_cookie) + resp = await test_client.post( + "/units", + json=payload, + ) assert resp.status_code == 201, status_fail_msg(201, resp) assert isinstance(resp.json(), dict) assert resp.json()["text"] == payload["text"] @@ -254,7 +274,9 @@ async def test_delete_node( assert "id" in resp.json() # delete node - resp = await test_client.delete(f"/nodes/{node['id']}", cookies=session_cookie) + resp = await test_client.delete( + f"/nodes/{node['id']}", + ) assert resp.status_code == 200, status_fail_msg(200, resp) assert resp.json().get("nodes", None) > 1 assert resp.json().get("units", None) == 1 @@ -272,13 +294,12 @@ async def test_move_node( # create superuser superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) # get node from db resp = await test_client.get( "/nodes", params={"textId": text_id, "level": 0, "position": 0}, - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), list) @@ -289,7 +310,6 @@ async def test_move_node( resp = await test_client.post( f"/nodes/{node['id']}/move", json={"position": 1, "after": True, "parentId": None}, - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), dict) diff --git a/Tekst-API/tests/test_api_platform.py b/Tekst-API/tests/test_api_platform.py index f91eb5b8..5ae96479 100644 --- a/Tekst-API/tests/test_api_platform.py +++ b/Tekst-API/tests/test_api_platform.py @@ -19,9 +19,10 @@ async def test_platform_users( get_session_cookie, ): user = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(user) + await get_session_cookie(user) resp = await test_client.get( - "/platform/users", params={"q": user.get("username")}, cookies=session_cookie + "/platform/users", + params={"q": user.get("username")}, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), list) @@ -31,7 +32,8 @@ async def test_platform_users( assert "name" in resp.json()[0] assert "isActive" not in resp.json()[0] resp = await test_client.get( - "/platform/users", params={"q": "nonsense"}, cookies=session_cookie + "/platform/users", + params={"q": "nonsense"}, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), list) @@ -46,11 +48,10 @@ async def test_update_platform_settings( get_session_cookie, ): user = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(user) + await get_session_cookie(user) resp = await test_client.patch( "/platform/settings", json={"availableLocales": ["enUS"]}, - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), dict) @@ -80,13 +81,12 @@ async def test_crud_segment( get_session_cookie, ): user = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(user) + await get_session_cookie(user) # create segment resp = await test_client.post( "/platform/segments", json={"key": "foo", "locale": "*", "title": "Foo", "html": "

Foo

"}, - cookies=session_cookie, ) assert resp.status_code == 201, status_fail_msg(201, resp) assert isinstance(resp.json(), dict) @@ -97,7 +97,6 @@ async def test_crud_segment( resp = await test_client.patch( f"/platform/segments/{resp.json()['id']}", json={"title": "Bar"}, - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), dict) @@ -107,6 +106,5 @@ async def test_crud_segment( # delete segment resp = await test_client.delete( f"/platform/segments/{resp.json()['id']}", - cookies=session_cookie, ) assert resp.status_code == 204, status_fail_msg(204, resp) diff --git a/Tekst-API/tests/test_api_resource.py b/Tekst-API/tests/test_api_resource.py index 885e2a4b..2f4dde51 100644 --- a/Tekst-API/tests/test_api_resource.py +++ b/Tekst-API/tests/test_api_resource.py @@ -13,7 +13,7 @@ async def test_create_resource( ): text_id = (await insert_sample_data("texts", "nodes"))["texts"][0] user_data = await register_test_user() - session_cookie = await get_session_cookie(user_data) + await get_session_cookie(user_data) payload = { "title": "A test resource", "description": [ @@ -28,7 +28,10 @@ async def test_create_resource( "ownerId": user_data["id"], } - resp = await test_client.post("/resources", json=payload, cookies=session_cookie) + resp = await test_client.post( + "/resources", + json=payload, + ) assert resp.status_code == 201, status_fail_msg(201, resp) assert "id" in resp.json() assert resp.json()["title"] == "A test resource" @@ -49,7 +52,7 @@ async def test_create_resource_invalid( ): await insert_sample_data("texts", "nodes") user_data = await register_test_user() - session_cookie = await get_session_cookie(user_data) + await get_session_cookie(user_data) payload = { "title": "A test resource", @@ -58,7 +61,10 @@ async def test_create_resource_invalid( "resourceType": "plaintext", } - resp = await test_client.post("/resources", json=payload, cookies=session_cookie) + resp = await test_client.post( + "/resources", + json=payload, + ) assert resp.status_code == 400, status_fail_msg(400, resp) @@ -72,7 +78,7 @@ async def test_update_resource( ): text_id = (await insert_sample_data("texts", "nodes", "resources"))["texts"][0] user_data = await register_test_user() - session_cookie = await get_session_cookie(user_data) + await get_session_cookie(user_data) # create new resource (because only owner can update(write)) payload = { "title": "Foo Bar Baz", @@ -81,7 +87,10 @@ async def test_update_resource( "resourceType": "plaintext", "public": True, } - resp = await test_client.post("/resources", json=payload, cookies=session_cookie) + resp = await test_client.post( + "/resources", + json=payload, + ) assert resp.status_code == 201, status_fail_msg(201, resp) resource_data = resp.json() assert "id" in resource_data @@ -92,7 +101,6 @@ async def test_update_resource( resp = await test_client.patch( f"/resources/{resource_data['id']}", json=updates, - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), dict) @@ -104,7 +112,6 @@ async def test_update_resource( resp = await test_client.patch( f"/resources/{resource_data['id']}", json=updates, - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), dict) @@ -132,7 +139,7 @@ async def test_create_resource_with_forged_owner_id( ): text_id = (await insert_sample_data("texts", "nodes"))["texts"][0] user_data = await register_test_user() - session_cookie = await get_session_cookie(user_data) + await get_session_cookie(user_data) # create new resource with made up owner ID payload = { "title": "Foo Bar Baz", @@ -141,7 +148,10 @@ async def test_create_resource_with_forged_owner_id( "resourceType": "plaintext", "ownerId": "643d3cdc21efd6c46ae1527e", } - resp = await test_client.post("/resources", json=payload, cookies=session_cookie) + resp = await test_client.post( + "/resources", + json=payload, + ) assert resp.status_code == 201, status_fail_msg(201, resp) assert resp.json()["ownerId"] != payload["ownerId"] @@ -186,10 +196,10 @@ async def test_access_private_resource( accessible_unauthorized = len(resp.json()) # register test superuser user_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(user_data) + await get_session_cookie(user_data) # unpublish resp = await test_client.post( - f"/resources/{resource_id}/unpublish", cookies=session_cookie + f"/resources/{resource_id}/unpublish", ) assert resp.status_code == 200, status_fail_msg(200, resp) # logout @@ -239,7 +249,7 @@ async def test_propose_unpropose_publish_unpublish_resource( ): text_id = (await insert_sample_data("texts", "nodes", "resources"))["texts"][0] user_data = await register_test_user() - session_cookie = await get_session_cookie(user_data) + await get_session_cookie(user_data) # create new resource (because only owner can update(write)) payload = { "title": "Foo Bar Baz", @@ -248,24 +258,25 @@ async def test_propose_unpropose_publish_unpublish_resource( "resourceType": "plaintext", "ownerId": user_data.get("id"), } - resp = await test_client.post("/resources", json=payload, cookies=session_cookie) + resp = await test_client.post( + "/resources", + json=payload, + ) assert resp.status_code == 201, status_fail_msg(201, resp) resource_data = resp.json() assert "id" in resource_data assert "ownerId" in resource_data # become superuser user_data = await register_test_user(is_superuser=True, alternative=True) - session_cookie = await get_session_cookie(user_data) + await get_session_cookie(user_data) # publish unproposed resource resp = await test_client.post( f"/resources/{resource_data['id']}/publish", - cookies=session_cookie, ) assert resp.status_code == 400, status_fail_msg(400, resp) # propose resource resp = await test_client.post( f"/resources/{resource_data['id']}/propose", - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) # get all accessible resources, check if ours is proposed @@ -278,37 +289,31 @@ async def test_propose_unpropose_publish_unpublish_resource( # propose resource again (should just go through) resp = await test_client.post( f"/resources/{resource_data['id']}/propose", - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) # publish resource resp = await test_client.post( f"/resources/{resource_data['id']}/publish", - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) # unpublish resource resp = await test_client.post( f"/resources/{resource_data['id']}/unpublish", - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) # unpublish resource again (should just go through) resp = await test_client.post( f"/resources/{resource_data['id']}/unpublish", - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) # propose resource again resp = await test_client.post( f"/resources/{resource_data['id']}/propose", - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) # unpropose resource resp = await test_client.post( f"/resources/{resource_data['id']}/unpropose", - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) @@ -331,17 +336,20 @@ async def test_delete_resource( resources_count = len(resp.json()) # register test superuser user_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(user_data) + await get_session_cookie(user_data) # delete resource - resp = await test_client.delete(f"/resources/{resource_id}", cookies=session_cookie) + resp = await test_client.delete( + f"/resources/{resource_id}", + ) assert resp.status_code == 400, status_fail_msg(400, resp) # unpublish resource resp = await test_client.post( f"/resources/{resource_id}/unpublish", - cookies=session_cookie, ) # delete resource - resp = await test_client.delete(f"/resources/{resource_id}", cookies=session_cookie) + resp = await test_client.delete( + f"/resources/{resource_id}", + ) assert resp.status_code == 204, status_fail_msg(204, resp) # get all accessible resources again resp = await test_client.get("/resources", params={"textId": text_id}) @@ -364,25 +372,22 @@ async def test_transfer_resource( user_data = await register_test_user(is_superuser=False) # register test superuser superuser_data = await register_test_user(alternative=True, is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) # transfer resource that is still public to test user resp = await test_client.post( f"/resources/{resource_id}/transfer", json=user_data["id"], - cookies=session_cookie, ) assert resp.status_code == 400, status_fail_msg(400, resp) # unpublish resource resp = await test_client.post( f"/resources/{resource_id}/unpublish", - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) # transfer resource to test user resp = await test_client.post( f"/resources/{resource_id}/transfer", json=user_data["id"], - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), dict) @@ -401,10 +406,10 @@ async def test_get_resource_template( resource_id = inserted_ids["resources"][0] # register regular test user user_data = await register_test_user(is_superuser=False) - session_cookie = await get_session_cookie(user_data) + await get_session_cookie(user_data) # get resource template resp = await test_client.get( - f"/resources/{resource_id}/template", cookies=session_cookie + f"/resources/{resource_id}/template", ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), dict) diff --git a/Tekst-API/tests/test_api_text.py b/Tekst-API/tests/test_api_text.py index 5737a425..ca9a38f3 100644 --- a/Tekst-API/tests/test_api_text.py +++ b/Tekst-API/tests/test_api_text.py @@ -29,19 +29,25 @@ async def test_create_text( get_session_cookie, ): superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) payload = { "title": "Just a Test", "slug": "justatest", "levels": [[{"locale": "enUS", "translation": "foo"}]], } - resp = await test_client.post("/texts", json=payload, cookies=session_cookie) + resp = await test_client.post( + "/texts", + json=payload, + ) assert resp.status_code == 201, status_fail_msg(201, resp) assert "id" in resp.json() assert "slug" in resp.json() assert resp.json()["slug"] == "justatest" # create duplicate - resp = await test_client.post("/texts", json=payload, cookies=session_cookie) + resp = await test_client.post( + "/texts", + json=payload, + ) assert resp.status_code == 409, status_fail_msg(409, resp) @@ -53,9 +59,12 @@ async def test_create_text_unauthorized( get_session_cookie, ): user_data = await register_test_user() # not a superuser (=unauthorized)! - session_cookie = await get_session_cookie(user_data) + await get_session_cookie(user_data) payload = {"title": "Meow", "slug": "meow", "levels": ["meow"]} - resp = await test_client.post("/texts", json=payload, cookies=session_cookie) + resp = await test_client.post( + "/texts", + json=payload, + ) assert resp.status_code == 403, status_fail_msg(403, resp) @@ -90,11 +99,12 @@ async def test_update_text( assert resp.status_code == 401, status_fail_msg(401, resp) # create superuser superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) # update text text_update = {"title": "Another text"} resp = await test_client.patch( - f"/texts/{text['id']}", json=text_update, cookies=session_cookie + f"/texts/{text['id']}", + json=text_update, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert "id" in resp.json() @@ -103,13 +113,15 @@ async def test_update_text( assert resp.json()["title"] == "Another text" # update unchanged text resp = await test_client.patch( - f"/texts/{text['id']}", json=text_update, cookies=session_cookie + f"/texts/{text['id']}", + json=text_update, ) assert resp.status_code == 200, status_fail_msg(200, resp) # update invalid text text_update = {"title": "Yet another text"} resp = await test_client.patch( - "/texts/637b9ad396d541a505e5439b", json=text_update, cookies=session_cookie + "/texts/637b9ad396d541a505e5439b", + json=text_update, ) assert resp.status_code == 400, status_fail_msg(400, resp) @@ -127,12 +139,11 @@ async def test_delete_text( # create superuser superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) # delete text resp = await test_client.delete( f"/texts/{text_id}", - cookies=session_cookie, ) assert resp.status_code == 204, status_fail_msg(204, resp) @@ -150,12 +161,11 @@ async def test_download_structure_template( # create superuser superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) # delete text resp = await test_client.get( f"/texts/{text_id}/template", - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) @@ -172,7 +182,7 @@ async def test_insert_level( # create superuser superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) # get text from db resp = await test_client.get("/texts") @@ -189,7 +199,6 @@ async def test_insert_level( {"locale": "enUS", "translation": "A level"}, {"locale": "deDE", "translation": "Eine Ebene"}, ], - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert "id" in resp.json() @@ -202,7 +211,6 @@ async def test_insert_level( {"locale": "enUS", "translation": "Another level"}, {"locale": "deDE", "translation": "Eine weitere Ebene"}, ], - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert "id" in resp.json() @@ -222,12 +230,11 @@ async def test_delete_top_level( # create superuser superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) # delete level 0 resp = await test_client.delete( f"/texts/{text_id}/level/0", - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert "id" in resp.json() @@ -246,12 +253,11 @@ async def test_delete_bottom_level( # create superuser superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) # delete level 1 resp = await test_client.delete( f"/texts/{text_id}/level/1", - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert "id" in resp.json() @@ -270,13 +276,12 @@ async def test_delete_middle_level( # create superuser superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) # create extra level resp = await test_client.post( f"/texts/{text_id}/level/2", json=[{"locale": "*", "translation": "Some Level"}], - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert "id" in resp.json() @@ -284,7 +289,6 @@ async def test_delete_middle_level( # delete level 1 resp = await test_client.delete( f"/texts/{text_id}/level/1", - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert "id" in resp.json() @@ -303,14 +307,13 @@ async def test_upload_structure( # create superuser superuser_data = await register_test_user(is_superuser=True) - session_cookie = await get_session_cookie(superuser_data) + await get_session_cookie(superuser_data) # read structure file content with open(get_sample_data_path("structure/fdhdgg.json"), "rb") as f: # upload structure definition resp = await test_client.post( f"/texts/{text_id}/structure", - cookies=session_cookie, files={"file": (f.name, f, "application/json")}, ) diff --git a/Tekst-API/tests/test_api_unit.py b/Tekst-API/tests/test_api_unit.py index ae2cb0fa..1dedf229 100644 --- a/Tekst-API/tests/test_api_unit.py +++ b/Tekst-API/tests/test_api_unit.py @@ -16,7 +16,7 @@ async def test_create_unit( inserted_ids = await insert_sample_data("texts", "nodes", "resources", "units") text_id = inserted_ids["texts"][0] user_data = await register_test_user() - session_cookie = await get_session_cookie(user_data) + await get_session_cookie(user_data) # create new resource (because only owner can update(write)) payload = { @@ -26,7 +26,10 @@ async def test_create_unit( "resourceType": "plaintext", "ownerId": user_data.get("id"), } - resp = await test_client.post("/resources", json=payload, cookies=session_cookie) + resp = await test_client.post( + "/resources", + json=payload, + ) assert resp.status_code == 201, status_fail_msg(201, resp) resource_data = resp.json() assert "id" in resource_data @@ -35,7 +38,8 @@ async def test_create_unit( # get ID of existing test node resp = await test_client.get( - "/nodes", params={"textId": text_id, "level": 0}, cookies=session_cookie + "/nodes", + params={"textId": text_id, "level": 0}, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), list) @@ -51,7 +55,10 @@ async def test_create_unit( "text": "Ein Raabe geht im Feld spazieren.", "comment": "This is a comment", } - resp = await test_client.post("/units", json=payload, cookies=session_cookie) + resp = await test_client.post( + "/units", + json=payload, + ) assert resp.status_code == 201, status_fail_msg(201, resp) assert isinstance(resp.json(), dict) assert resp.json()["text"] == payload["text"] @@ -60,17 +67,25 @@ async def test_create_unit( unit_id = resp.json()["id"] # fail to create duplicate - resp = await test_client.post("/units", json=payload, cookies=session_cookie) + resp = await test_client.post( + "/units", + json=payload, + ) assert resp.status_code == 409, status_fail_msg(409, resp) # fail to create unit for resource we don't have write access to invalid = payload.copy() invalid["resourceId"] = inserted_ids["resources"][0] - resp = await test_client.post("/units", json=invalid, cookies=session_cookie) + resp = await test_client.post( + "/units", + json=invalid, + ) assert resp.status_code == 401, status_fail_msg(401, resp) # get unit - resp = await test_client.get(f"/units/{unit_id}", cookies=session_cookie) + resp = await test_client.get( + f"/units/{unit_id}", + ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), dict) assert "id" in resp.json() @@ -79,7 +94,7 @@ async def test_create_unit( # fail to get unit with invalid ID resp = await test_client.get( - "/units/637b9ad396d541a505e5439b", cookies=session_cookie + "/units/637b9ad396d541a505e5439b", ) assert resp.status_code == 404, status_fail_msg(404, resp) @@ -87,7 +102,6 @@ async def test_create_unit( resp = await test_client.patch( f"/units/{unit_id}", json={"resourceType": "plaintext", "text": "FOO BAR"}, - cookies=session_cookie, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), dict) @@ -99,7 +113,6 @@ async def test_create_unit( resp = await test_client.patch( "/units/637b9ad396d541a505e5439b", json={"resourceType": "plaintext", "text": "FOO BAR"}, - cookies=session_cookie, ) assert resp.status_code == 400, status_fail_msg(400, resp) @@ -111,7 +124,6 @@ async def test_create_unit( "text": "FOO BAR", "resourceId": "637b9ad396d541a505e5439b", }, - cookies=session_cookie, ) assert resp.status_code == 400, status_fail_msg(400, resp) @@ -129,13 +141,13 @@ async def test_create_unit( "resourceType": "plaintext", "text": "FOO BAR", }, - cookies=session_cookie, ) assert resp.status_code == 401, status_fail_msg(401, resp) # find all units resp = await test_client.get( - "/units", params={"limit": 100}, cookies=session_cookie + "/units", + params={"limit": 100}, ) assert resp.status_code == 200, status_fail_msg(200, resp) assert isinstance(resp.json(), list)