fastapi-security/tests/integration/test_basic_auth.py at b38bb79bfe0c97c7bbdf9b882ada74e02543cf6a · jacobsvante/fastapi-security · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
from fastapi import Depends

from fastapi_security import FastAPISecurity, HTTPBasicCredentials, User
from fastapi_security.basic import BasicAuthValidator, generate_digest

from ..helpers.jwks import dummy_audience, dummy_jwks_uri


def test_that_basic_auth_doesnt_validate_any_credentials_if_unconfigured():
    validator = BasicAuthValidator()
    creds = HTTPBasicCredentials(username="johndoe", password="123")
    assert validator.validate(creds) is False


def test_that_uninitialized_basic_auth_doesnt_accept_any_credentials(app, client):
    security = FastAPISecurity()

    @app.get("/")
    def get_products(user: User = Depends(security.authenticated_user_or_401)):
        return []

    # NOTE: Not passing basic_auth_credentials, which means Basic Auth will be disabled
    # NOTE: We are passing
    security.init_oauth2_through_jwks(dummy_jwks_uri, audiences=[dummy_audience])

    resp = client.get("/")
    assert resp.status_code == 401

    resp = client.get("/", auth=("username", "password"))
    assert resp.status_code == 401


def test_that_basic_auth_rejects_incorrect_credentials(app, client):
    security = FastAPISecurity()

    @app.get("/")
    def get_products(user: User = Depends(security.authenticated_user_or_401)):
        return []

    credentials = [{"username": "user", "password": "pass"}]
    security.init_basic_auth(credentials)

    resp = client.get("/")
    assert resp.status_code == 401

    resp = client.get("/", auth=("user", ""))
    assert resp.status_code == 401

    resp = client.get("/", auth=("", "pass"))
    assert resp.status_code == 401

    resp = client.get("/", auth=("abc", "123"))
    assert resp.status_code == 401


def test_that_basic_auth_accepts_correct_credentials(app, client):
    security = FastAPISecurity()

    @app.get("/")
    def get_products(user: User = Depends(security.authenticated_user_or_401)):
        return []

    credentials = [{"username": "user", "password": "pass"}]
    security.init_basic_auth(credentials)

    resp = client.get("/", auth=("user", "pass"))
    assert resp.status_code == 200


def test_that_basic_auth_with_digest_rejects_credentials_with_wrong_user_or_password(
    app, client
):
    security = FastAPISecurity()

    @app.get("/")
    def get_products(user: User = Depends(security.authenticated_user_or_401)):
        return []

    pass_digest = generate_digest("pass", salt="salt123")
    credentials = [{"username": "user", "password": pass_digest}]
    security.init_basic_auth_with_digest(credentials, salt="salt123")

    resp = client.get("/")
    assert resp.status_code == 401

    resp = client.get("/", auth=("user", ""))
    assert resp.status_code == 401

    resp = client.get("/", auth=("", "pass"))
    assert resp.status_code == 401

    resp = client.get("/", auth=("abc", "123"))
    assert resp.status_code == 401


def test_that_basic_auth_with_digest_rejects_credentials_when_salt_does_not_match(
    app, client
):
    security = FastAPISecurity()

    @app.get("/")
    def get_products(user: User = Depends(security.authenticated_user_or_401)):
        return []

    pass_digest = generate_digest("pass", salt="salt123")
    credentials = [{"username": "user", "password": pass_digest}]
    security.init_basic_auth_with_digest(credentials, salt="salt456")

    resp = client.get("/", auth=("user", "pass"))
    assert resp.status_code == 401


def test_that_basic_auth_with_digest_accepts_correct_credentials(app, client):
    security = FastAPISecurity()

    @app.get("/")
    def get_products(user: User = Depends(security.authenticated_user_or_401)):
        return []

    pass_digest = generate_digest("pass", salt="salt123")
    credentials = [{"username": "user", "password": pass_digest}]
    security.init_basic_auth_with_digest(credentials, salt="salt123")

    resp = client.get("/", auth=("user", "pass"))
    assert resp.status_code == 200