In [1]:
import requests
from requests_toolbelt import MultipartEncoder
from requests_toolbelt.utils import dump
import os
import random
import string

def get_random_string(length):
    # choose from all lowercase letter
    letters = string.ascii_lowercase
    return''.join(random.choice(letters) for i in range(length))

def get_url(endpoint: string):
    return f"http://{host}:{port}/{endpoint}"

# Read in server host and port from environment variables
host = os.getenv('SERVER_HOST', 'localhost')
port = os.getenv('SERVER_PORT', '8070')

print(f"Server host: {host}, port: {port}")

session = requests.Session()

class User:
    def __init__(self, username, password):
        self.username = username
        self.password = password

    session_cookie: string = None
    prev_session_cookie: string = None

Server host: 0.0.0.0, port: 8070


In [2]:
# SIGNUP
# Create random username and password
username = get_random_string(10)
password = get_random_string(10)

user = User(username, password)

print(f"Username: {username}, password: {password}")

# Register user
m = MultipartEncoder(fields={
    'username': user.username,
    'password': user.password,
    'confirm_password': user.password,
})

try: 
    req = requests.Request('POST', get_url('signup'), data=m, headers={'Content-Type': m.content_type})
    prepared = req.prepare()
    response = session.send(prepared)
except requests.exceptions.RequestException as e:
    print(f"Error: {e}")
    exit(1)

signup_req_data = dump.dump_all(response)
print(signup_req_data.decode('utf-8'))

Username: teuayouqpj, password: dfrrovwdwf
< POST /signup HTTP/1.1
< Host: 0.0.0.0:8070
< Content-Type: multipart/form-data; boundary=ed17abd2c18c49d79e755e70286ed150
< Content-Length: 343
< 
<< Request body is not a string-like type >>

> HTTP/1.1 200 OK
> Date: Wed, 11 Dec 2024 05:14:52 GMT
> Content-Type: text/html; charset=utf-8
> Transfer-Encoding: chunked
> 
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet">
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.6.0/css/all.min.css" integrity="sha512-Kc323vGBEqzTmouAECnVceyQqyqdsSiqLQISBL29aUW4U/M7pSPA/gEUZQqv1cwx4OnYxTxve5UMg5GT6L4JJg==" crossorigin="anonymous" referrerpolicy="no-referrer" />
    <script src="https://unpkg.com/htmx.org@1.9.12"></

In [3]:
# LOGIN
# Register user
m = MultipartEncoder(fields={
    'username': user.username,
    'password': user.password
})

try: 
    req = requests.Request('POST', get_url('login'), data=m, headers={'Content-Type': m.content_type})
    prepared = req.prepare()
    response = session.send(prepared)
except requests.exceptions.RequestException as e:
    print(f"Error: {e}")
    exit(1)

login_req_data = dump.dump_all(response)
# print(login_req_data.decode('utf-8'))

user.session_cookie = response.cookies['session']
print(f"Session: {user.session_cookie}")

Session: MTczMzg5NDA5MnxEWDhFQVFMX2dBQUJFQUVRQUFBZ180QUFBUVp6ZEhKcGJtY01DUUFIZFhObGNsOXBaQVZwYm5Rek1nUUNBQ3c9fKHNvPgPEEbVl0xdN-2ymYxFIZ3OtxxuriZMQPvSidxu


In [4]:
# LOGOUT
try:
    req = requests.Request('POST', get_url('logout'), cookies={'session': user.session_cookie})
    prepared = req.prepare()
    response = session.send(prepared)
except requests.exceptions.RequestException as e:
    print(f"Error: {e}")
    exit(1)

logout_req_data = dump.dump_all(response)
#print(logout_req_data.decode('utf-8'))

# New session cookie has been set
user.prev_session_cookie = user.session_cookie
user.session_cookie = session.cookies.get('session')
print(f'Previous session cookie: {user.prev_session_cookie}, new session cookie: {user.session_cookie}')

print(logout_req_data.decode('utf-8'))

Previous session cookie: MTczMzg5NDA5MnxEWDhFQVFMX2dBQUJFQUVRQUFBZ180QUFBUVp6ZEhKcGJtY01DUUFIZFhObGNsOXBaQVZwYm5Rek1nUUNBQ3c9fKHNvPgPEEbVl0xdN-2ymYxFIZ3OtxxuriZMQPvSidxu, new session cookie: MTczMzg5NDA5MnxEWDhFQVFMX2dBQUJFQUVRQUFBWF80QUFBUVp6ZEhKcGJtY01DUUFIZFhObGNsOXBaQUE9fJrL7n1QoDlfKPlEADuNXoeaaGxSeSD2aYjJ4ClAnajF
< POST /logout HTTP/1.1
< Host: 0.0.0.0:8070
< Cookie: session=MTczMzg5NDA5MnxEWDhFQVFMX2dBQUJFQUVRQUFBZ180QUFBUVp6ZEhKcGJtY01DUUFIZFhObGNsOXBaQVZwYm5Rek1nUUNBQ3c9fKHNvPgPEEbVl0xdN-2ymYxFIZ3OtxxuriZMQPvSidxu
< Content-Length: 0
< 

> HTTP/1.1 303 See Other
> Location: /login
> Set-Cookie: session=MTczMzg5NDA5MnxEWDhFQVFMX2dBQUJFQUVRQUFBWF80QUFBUVp6ZEhKcGJtY01DUUFIZFhObGNsOXBaQUE9fJrL7n1QoDlfKPlEADuNXoeaaGxSeSD2aYjJ4ClAnajF; Expires=Wed, 11 Dec 2024 06:14:52 GMT; Max-Age=3600; HttpOnly; SameSite=Lax
> Date: Wed, 11 Dec 2024 05:14:52 GMT
> Content-Length: 0
> 
< GET /login HTTP/1.1
< Host: 0.0.0.0:8070
< Cookie: session=MTczMzg5NDA5MnxEWDhFQVFMX2dBQUJFQUVRQUFBZ180QUFBUVp6ZE

In [13]:
# ATTEMPT /files request with old session cookie
try:
    req = requests.Request('GET', get_url('files'), cookies={'session': user.prev_session_cookie})
    prepared = req.prepare()
    response = session.send(prepared)
except requests.exceptions.RequestException as e:
    print(f"Error: {e}")
    exit(1)

files_req_data = dump.dump_all(response)
print(files_req_data.decode('utf-8'))

# Step 2: Assert that the request fails
assert response.status_code != 200, f"Unauthorized user can perform user actions"
print("Assertion passed: Request with old session token failed as expected.")

< GET /files HTTP/1.1
< Host: 0.0.0.0:8070
< Cookie: session=MTczMzg5NDA5MnxEWDhFQVFMX2dBQUJFQUVRQUFBZ180QUFBUVp6ZEhKcGJtY01DUUFIZFhObGNsOXBaQVZwYm5Rek1nUUNBQ3c9fKHNvPgPEEbVl0xdN-2ymYxFIZ3OtxxuriZMQPvSidxu
< 

> HTTP/1.1 200 OK
> Date: Wed, 11 Dec 2024 05:24:34 GMT
> Content-Type: text/html; charset=utf-8
> Transfer-Encoding: chunked
> 
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet">
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.6.0/css/all.min.css" integrity="sha512-Kc323vGBEqzTmouAECnVceyQqyqdsSiqLQISBL29aUW4U/M7pSPA/gEUZQqv1cwx4OnYxTxve5UMg5GT6L4JJg==" crossorigin="anonymous" referrerpolicy="no-referrer" />
    <script src="https://unpkg.com/htmx.org@1.9.12"></script>
    <link rel="style

AssertionError: Unauthorized user can perform user actions