fix error related to mutating data while validating the challenge

dethos · May 12, 2020 · 5cba97f · 5cba97f
1 parent 62bb8d9
commit 5cba97f
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 10 deletions.
diff --git a/django_cryptolock/forms.py b/django_cryptolock/forms.py
@@ -32,13 +32,14 @@ def include_challenge(self):
             self.initial["challenge"] = new_challenge
 
     def clean_challenge(self):
-        challenge_uri = urlparse(self.cleaned_data.get("challenge"))
+        challenge = self.cleaned_data.get("challenge")
+        challenge_uri = urlparse(challenge)
         query = parse_qs(challenge_uri.query)
         if not query.get("x"):
             raise forms.ValidationError(_("Invalid or outdated challenge"))
 
-        challenge = query["x"][0]
-        if not challenge or not Challenge.objects.is_active(challenge):
+        token = query["x"][0]
+        if not token or not Challenge.objects.is_active(token):
             raise forms.ValidationError(_("Invalid or outdated challenge"))
 
         return challenge
@@ -51,7 +52,7 @@ class SimpleLoginForm(ChallengeMixin, forms.Form):
     signature = forms.CharField()
 
     error_messages = {
-        "invalid_login": _("Please enter a correct Monero address or signature."),
+        "invalid_login": _("Please enter a correct address or signature."),
         "inactive": _("This account is inactive."),
     }
 

diff --git a/django_cryptolock/utils.py b/django_cryptolock/utils.py
@@ -33,7 +33,6 @@ def verify_bitcoin_signature(
         warnings.warn(_("Please configure the bitcoin network in the settings file"))
     is_testnet = True if network == "testnet" else False
     callback_uri = request.build_absolute_uri()
-
     return bitid.challenge_valid(
         address, signature, challenge, callback_uri, is_testnet
     )

diff --git a/example/example/settings.py b/example/example/settings.py
@@ -121,7 +121,7 @@
 
 AUTHENTICATION_BACKENDS = [
     "django_cryptolock.backends.BitcoinAddressBackend",
-    "django_cryptolock.backends.MoneroAddressBackend",
+    # "django_cryptolock.backends.MoneroAddressBackend",
 ]
 DJCL_BITCOIN_NETWORK = "mainnet"
 DJCL_MONERO_NETWORK = "mainnet"

diff --git a/tests/test_forms.py b/tests/test_forms.py
@@ -200,9 +200,37 @@ def test_simplesignupform_invalid_addr():
     assert "Invalid address" in form.errors["address"]
 
 
-# def test_simplesignupform_invalid_challenge():
-#     pass
+def test_simplesignupform_invalid_challenge(settings):
+    set_bitcoin_settings(settings)
+    mommy.make(Challenge, challenge="12345678", expires=FUTURE_TIME)
+
+    request = MagicMock()
+    request.build_absolute_uri.return_value = "http://something/"
+    form = SimpleSignUpForm(
+        request=request,
+        data={
+            "username": "foo",
+            "address": VALID_BITCOIN_ADDRESS,
+            "challenge": gen_challenge(request, "1234567"),
+            "signature": "some valid signature",
+        },
+    )
+    assert not form.is_valid()
 
 
-# def test_simple_signupform_expired_challenge():
-#     pass
+def test_simplesignupform_expired_challenge(settings):
+    set_bitcoin_settings(settings)
+    mommy.make(Challenge, challenge="12345678", expires=timezone.now())
+
+    request = MagicMock()
+    request.build_absolute_uri.return_value = "http://something/"
+    form = SimpleSignUpForm(
+        request=request,
+        data={
+            "username": "foo",
+            "address": VALID_BITCOIN_ADDRESS,
+            "challenge": gen_challenge(request, "12345678"),
+            "signature": "some valid signature",
+        },
+    )
+    assert not form.is_valid()