django/tests/auth_tests/test_middleware.py

from django.contrib.auth.middleware import AuthenticationMiddleware
from django.contrib.auth.models import User
from django.core.exceptions import ImproperlyConfigured
from django.http import HttpRequest, HttpResponse
from django.test import TestCase


class TestAuthenticationMiddleware(TestCase):
    @classmethod
    def setUpTestData(cls):
        cls.user = User.objects.create_user(
            "test_user", "test@example.com", "test_password"
        )

    def setUp(self):
        self.middleware = AuthenticationMiddleware(lambda req: HttpResponse())
        self.client.force_login(self.user)
        self.request = HttpRequest()
        self.request.session = self.client.session

    def test_no_password_change_doesnt_invalidate_session(self):
        self.request.session = self.client.session
        self.middleware(self.request)
        self.assertIsNotNone(self.request.user)
        self.assertFalse(self.request.user.is_anonymous)

    def test_changed_password_invalidates_session(self):
        # After password change, user should be anonymous
        self.user.set_password("new_password")
        self.user.save()
        self.middleware(self.request)
        self.assertIsNotNone(self.request.user)
        self.assertTrue(self.request.user.is_anonymous)
        # session should be flushed
        self.assertIsNone(self.request.session.session_key)

    def test_no_session(self):
        msg = (
            "The Django authentication middleware requires session middleware "
            "to be installed. Edit your MIDDLEWARE setting to insert "
            "'django.contrib.sessions.middleware.SessionMiddleware' before "
            "'django.contrib.auth.middleware.AuthenticationMiddleware'."
        )
        with self.assertRaisesMessage(ImproperlyConfigured, msg):
            self.middleware(HttpRequest())
Fixed #23939 -- Moved session verification out of SessionAuthenticationMiddleware. Thanks andrewbadr for the report and Carl Meyer for the review. 2014-12-03 20:33:44 +08:00			`from django.contrib.auth.middleware import AuthenticationMiddleware`
Fixed #21649 -- Added optional invalidation of sessions when user password changes. Thanks Paul McMillan, Aymeric Augustin, and Erik Romijn for reviews. 2014-04-01 08:16:09 +08:00			`from django.contrib.auth.models import User`
Refs #32508 -- Raised ImproperlyConfigured instead of using "assert" in middlewares. 2021-03-10 21:08:37 +08:00			`from django.core.exceptions import ImproperlyConfigured`
Refs #26601 -- Deprecated passing None as get_response arg to middleware classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2019-09-27 01:06:35 +08:00			`from django.http import HttpRequest, HttpResponse`
Refs #31842 -- Removed DEFAULT_HASHING_ALGORITHM transitional setting. Per deprecation timeline. 2021-01-14 17:27:04 +08:00			`from django.test import TestCase`
Fixed #21649 -- Added optional invalidation of sessions when user password changes. Thanks Paul McMillan, Aymeric Augustin, and Erik Romijn for reviews. 2014-04-01 08:16:09 +08:00

Refs #23957 -- Required session verification per deprecation timeline. 2015-09-03 08:50:34 +08:00			`class TestAuthenticationMiddleware(TestCase):`
Refs #31395 -- Relied on setUpTestData() test data isolation in various tests. 2018-11-24 10:24:25 +08:00			`@classmethod`
			`def setUpTestData(cls):`
			`cls.user = User.objects.create_user(`
			`"test_user", "test@example.com", "test_password"`
			`)`

Fixed #21649 -- Added optional invalidation of sessions when user password changes. Thanks Paul McMillan, Aymeric Augustin, and Erik Romijn for reviews. 2014-04-01 08:16:09 +08:00			`def setUp(self):`
Refs #26601 -- Deprecated passing None as get_response arg to middleware classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2019-09-27 01:06:35 +08:00			`self.middleware = AuthenticationMiddleware(lambda req: HttpResponse())`
Refs #23957 -- Required session verification per deprecation timeline. 2015-09-03 08:50:34 +08:00			`self.client.force_login(self.user)`
Fixed #23939 -- Moved session verification out of SessionAuthenticationMiddleware. Thanks andrewbadr for the report and Carl Meyer for the review. 2014-12-03 20:33:44 +08:00			`self.request = HttpRequest()`
			`self.request.session = self.client.session`

Refs #23957 -- Required session verification per deprecation timeline. 2015-09-03 08:50:34 +08:00			`def test_no_password_change_doesnt_invalidate_session(self):`
			`self.request.session = self.client.session`
Refs #26601 -- Deprecated passing None as get_response arg to middleware classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2019-09-27 01:06:35 +08:00			`self.middleware(self.request)`
Refs #27468 -- Made user sessions use SHA-256 algorithm. 2020-04-29 22:45:00 +08:00			`self.assertIsNotNone(self.request.user)`
			`self.assertFalse(self.request.user.is_anonymous)`

Refs #23957 -- Required session verification per deprecation timeline. 2015-09-03 08:50:34 +08:00			`def test_changed_password_invalidates_session(self):`
			`# After password change, user should be anonymous`
Fixed #23939 -- Moved session verification out of SessionAuthenticationMiddleware. Thanks andrewbadr for the report and Carl Meyer for the review. 2014-12-03 20:33:44 +08:00			`self.user.set_password("new_password")`
			`self.user.save()`
Refs #26601 -- Deprecated passing None as get_response arg to middleware classes. This is the new contract since middleware refactoring in Django 1.10. Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2019-09-27 01:06:35 +08:00			`self.middleware(self.request)`
Fixed #23939 -- Moved session verification out of SessionAuthenticationMiddleware. Thanks andrewbadr for the report and Carl Meyer for the review. 2014-12-03 20:33:44 +08:00			`self.assertIsNotNone(self.request.user)`
Fixed #25847 -- Made User.is_(anonymous\|authenticated) properties. 2016-04-02 19:18:26 +08:00			`self.assertTrue(self.request.user.is_anonymous)`
Fixed #23939 -- Moved session verification out of SessionAuthenticationMiddleware. Thanks andrewbadr for the report and Carl Meyer for the review. 2014-12-03 20:33:44 +08:00			`# session should be flushed`
			`self.assertIsNone(self.request.session.session_key)`
Added tests for middlewares' checks. 2019-10-23 14:04:14 +08:00
			`def test_no_session(self):`
			`msg = (`
			`"The Django authentication middleware requires session middleware "`
			`"to be installed. Edit your MIDDLEWARE setting to insert "`
			`"'django.contrib.sessions.middleware.SessionMiddleware' before "`
			`"'django.contrib.auth.middleware.AuthenticationMiddleware'."`
			`)`
Refs #32508 -- Raised ImproperlyConfigured instead of using "assert" in middlewares. 2021-03-10 21:08:37 +08:00			`with self.assertRaisesMessage(ImproperlyConfigured, msg):`
Added tests for middlewares' checks. 2019-10-23 14:04:14 +08:00			`self.middleware(HttpRequest())`