dash-auth/tests/test_basic_auth_integration.py at f5f19e91b07acee9dba34eece215ac7f073ba706 · plotly/dash-auth · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
from dash import Dash, Input, Output, dcc, html
import requests
import pytest
from dash_auth import BasicAuth, add_public_routes, protected


TEST_USERS = {
    "valid": [
        ["hello", "world"],
        ["hello2", "wo:rld"]
    ],
    "invalid": [
        ["hello", "password"]
    ],
}


@pytest.mark.parametrize(
    "kwargs",
    [
        {},
        {"url_base_pathname": "/app/"},
        {"routes_pathname_prefix": "/app/"},
        {"routes_pathname_prefix": "/app/", "requests_pathname_prefix": "/app/"},
    ],
)
def test_ba001_basic_auth_login_flow(dash_br, dash_thread_server, kwargs):
    app = Dash(__name__, **kwargs)
    app.layout = html.Div([
        dcc.Input(id="input", value="initial value"),
        html.Div(id="output")
    ])

    @app.callback(Output("output", "children"), Input("input", "value"))
    def update_output(new_value):
        return new_value

    BasicAuth(app, TEST_USERS["valid"], public_routes=["/home"])
    add_public_routes(app, ["/user/<user_id>/public"])

    dash_thread_server(app)
    path_prefix = (
        app.config.get("url_base_pathname", "")
        or app.config.get("requests_pathname_prefix", "")
        or app.config.get("routes_pathname_prefix", "")
    )
    base_url = dash_thread_server.url + path_prefix

    def test_failed_views(url):
        assert requests.get(url).status_code == 401

    def test_successful_views(url):
        assert requests.get(url.strip("/") + "/_dash-layout").status_code == 200
        assert requests.get(url.strip("/") + "/home").status_code == 200
        assert requests.get(url.strip("/") + "/user/john123/public").status_code == 200

    test_failed_views(base_url)
    test_successful_views(base_url)

    for user, password in TEST_USERS["invalid"]:
        test_failed_views(base_url.replace("//", f"//{user}:{password}@"))
        test_successful_views(base_url.replace("//", f"//{user}:{password}@"))

    # Test login for each user:
    for user, password in TEST_USERS["valid"]:
        # login using the URL instead of the alert popup
        # selenium has no way of accessing the alert popup
        dash_br.driver.get(base_url.replace("//", f"//{user}:{password}@"))

        # the username:password@host url doesn"t work right now for dash
        # routes, but it saves the credentials as part of the browser.
        # visiting the page again will use the saved credentials
        dash_br.driver.get(base_url)
        dash_br.wait_for_text_to_equal("#output", "initial value")


@pytest.mark.parametrize(
    "kwargs",
    [
        {},
        {"url_base_pathname": "/app/"},
        {"routes_pathname_prefix": "/app/"},
        {"routes_pathname_prefix": "/app/", "requests_pathname_prefix": "/app/"},
    ],
)
def test_ba002_basic_auth_groups(dash_br, dash_thread_server, kwargs):
    app = Dash(__name__, **kwargs)
    app.layout = html.Div([
        dcc.Input(id="input", value="initial value"),
        html.Div(id="output")
    ])

    @app.callback(
        Output("output", "children"),
        Input("input", "value"),
        groups=["admin"],
    )
    @protected(
        unauthenticated_output="unauthenticated",
        missing_permissions_output="forbidden",
        groups=["admin"],
    )
    def update_output(new_value):
        return new_value

    BasicAuth(
        app,
        TEST_USERS["valid"],
        public_routes=["/home"],
        user_groups={"hello": ["admin"]},
        secret_key="Test!",
    )

    dash_thread_server(app)
    path_prefix = (
        app.config.get("url_base_pathname", "")
        or app.config.get("requests_pathname_prefix", "")
        or app.config.get("routes_pathname_prefix", "")
    )
    base_url = dash_thread_server.url + path_prefix

    for user, password in TEST_USERS["valid"]:
        # login using the URL instead of the alert popup
        # selenium has no way of accessing the alert popup
        dash_br.driver.get(base_url.replace("//", f"//{user}:{password}@"))

        # the username:password@host url doesn"t work right now for dash
        # routes, but it saves the credentials as part of the browser.
        # visiting the page again will use the saved credentials
        dash_br.driver.get(base_url)
        expected = "initial value" if user == "hello" else "forbidden"
        dash_br.wait_for_text_to_equal("#output", expected)