From 317043738ef1944ab132820465feb61e3c5e3393 Mon Sep 17 00:00:00 2001 From: Dennis Lee Date: Tue, 5 Mar 2024 18:44:46 +0800 Subject: [PATCH] Refactor session tests and add test cases for invalid token payloads --- .github/workflows/tests.yml | 2 +- TODO.md | 13 ++++++------- tests/auth/test_session.py | 21 +++++++++++++++++---- 3 files changed, 24 insertions(+), 12 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index a0f292d..228f0bd 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -8,7 +8,7 @@ jobs: fail-fast: false matrix: python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"] - os: [ubuntu-latest, macos-latest, windows-latest] + os: [ubuntu-latest, windows-latest, macos-latest] runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 diff --git a/TODO.md b/TODO.md index 1b6c818..b95f3ba 100644 --- a/TODO.md +++ b/TODO.md @@ -1,22 +1,21 @@ # TODO List ## General - [x] add code coverage to SonarQube -- [x] add SonarQube quality gate badge -- [x] add code coverage score badge -- [ ] add pylint score badge in Github +- [x] add SonarQube quality gate & code coverage score badge at README.md +- [x] add pylint & pytest Github workflows ## Auth - [ ] when login, allow "Remember me" - - No remember me, access token expiry in 15mins, refresh token expiry in 1 hour - - Remember me, access token expiry in 1 day, refresh token expiry in 2 weeks + - No remember me, access token expiry in `15mins`, refresh token expiry in `1 hour` + - Remember me, access token expiry in `1 day`, refresh token expiry in `2 weeks` - [ ] Token revocation - when user logged out, session will be revoked. Tokens of same session will be denied access. - active session info will be store in cache & database (same expiry time as the refresh token) - session cache - - key: {user_id}{session_id}, value: SessionInfo + - key: `{user_id}{session_id}`, value: `SessionInfo` - valid tokens (whitelist tokens) will be store in cache (same expiry as the related token) - active token cache - - key: {token_jti}, value: {"type": "access token", "sibling_id": "jti of sibling"} + - key: `{token_jti}`, value: `{"type": "access token", "sibling_id": "jti of sibling"}` - expiry same as the token - [ ] Token reply attack prevention - when user refreshes tokens, old tokens (access & refresh token) will be revoked. Refresh token are for single use only diff --git a/tests/auth/test_session.py b/tests/auth/test_session.py index 3eb5d9c..1fce720 100644 --- a/tests/auth/test_session.py +++ b/tests/auth/test_session.py @@ -97,15 +97,24 @@ async def test_update_last_activity(): print("Session not exists, creating session in cache...") await create_session_in_cache(user_id=user_id, session_id=session_id) - # Create a payload with the user_id and session_id - payload = {"sub": user_id, "sid": session_id} + # Create a valid token payload + token_payload = {"sub": user_id, "sid": session_id} - # Call the function with the payload - result = await update_last_activity(payload) + # update existing session last activity + result = await update_last_activity(token_payload) # Assert that the result is True, indicating the session was successfully updated assert result is True + # Create a invalid token payload (fake session id) + token_payload = {"sub": user_id, "sid": "session-" + str(uuid.uuid4())[8:]} + + # update non-existing session last activity + result = await update_last_activity(token_payload) + + # Assert that the result is False, indicating the session was not updated + assert result is False + @pytest.mark.asyncio async def test_remove(): """ @@ -120,6 +129,10 @@ async def test_remove(): # Assert that the result is 1, indicating one session was successfully removed assert result == 1 + # expect raise ValueError + with pytest.raises(ValueError) as exc_info: + await remove("", session_id) + @pytest.mark.asyncio async def test_retrieve_by_userid(): """