From 0807ae6b7caada569c8fab45c4f3403ff950b6d1 Mon Sep 17 00:00:00 2001
From: moson-mo <mo-son@mailbox.org>
Date: Thu, 25 May 2023 14:22:51 +0200
Subject: [PATCH] test: add tests for cookie handling

add a bunch of test cases to ensure our cookies work properly

Signed-off-by: moson-mo <mo-son@mailbox.org>
---
 test/test_cookies.py | 145 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 145 insertions(+)
 create mode 100644 test/test_cookies.py

diff --git a/test/test_cookies.py b/test/test_cookies.py
new file mode 100644
index 00000000..a0ace68f
--- /dev/null
+++ b/test/test_cookies.py
@@ -0,0 +1,145 @@
+from datetime import datetime
+
+import pytest
+from fastapi.testclient import TestClient
+
+from aurweb import config, db
+from aurweb.asgi import app
+from aurweb.models.account_type import USER_ID
+from aurweb.models.user import User
+from aurweb.testing.requests import Request
+
+# Some test global constants.
+TEST_USERNAME = "test"
+TEST_EMAIL = "test@example.org"
+TEST_REFERER = {
+    "referer": config.get("options", "aur_location") + "/login",
+}
+
+
+@pytest.fixture(autouse=True)
+def setup(db_test):
+    return
+
+
+@pytest.fixture
+def client() -> TestClient:
+    client = TestClient(app=app)
+
+    # Necessary for forged login CSRF protection on the login route. Set here
+    # instead of only on the necessary requests for convenience.
+    client.headers.update(TEST_REFERER)
+
+    # disable redirects for our tests
+    client.follow_redirects = False
+    yield client
+
+
+@pytest.fixture
+def user() -> User:
+    with db.begin():
+        user = db.create(
+            User,
+            Username=TEST_USERNAME,
+            Email=TEST_EMAIL,
+            RealName="Test User",
+            Passwd="testPassword",
+            AccountTypeID=USER_ID,
+        )
+    yield user
+
+
+def test_cookies_login(client: TestClient, user: User):
+    # Log in with "Remember me" disabled
+    data = {"user": user.Username, "passwd": "testPassword", "next": "/"}
+    with client as request:
+        resp = request.post("/login", data=data)
+
+    local_time = int(datetime.now().timestamp())
+    expected_timeout = local_time + config.getint("options", "login_timeout")
+    expected_permanent = local_time + config.getint(
+        "options", "permanent_cookie_timeout"
+    )
+
+    # Check if we got permanent cookies with expected expiry date.
+    # Allow 1 second difference to account for timing issues
+    # between the request and current time.
+    assert "AURSID", "AURREMEMBER" in resp.cookies
+    for cookie in resp.cookies.jar:
+        if cookie.name == "AURSID":
+            assert abs(cookie.expires - expected_timeout) < 2
+
+        if cookie.name == "AURREMEMBER":
+            assert abs(cookie.expires - expected_permanent) < 2
+
+    # Make some random http call.
+    # We should get an (updated) AURSID cookie with each request.
+    sid = resp.cookies.get("AURSID")
+    with client as request:
+        request.cookies = {"AURSID": sid}
+        resp = request.get("/")
+
+    assert "AURSID" in resp.cookies
+
+    # Log out
+    with client as request:
+        request.cookies = resp.cookies
+        resp = request.post("/logout", data=data)
+
+    # Make sure AURSID cookie is removed after logout
+    assert "AURSID" not in resp.cookies
+
+    # Log in with "Remember me" enabled
+    data = {
+        "user": user.Username,
+        "passwd": "testPassword",
+        "next": "/",
+        "remember_me": "True",
+    }
+    with client as request:
+        resp = request.post("/login", data=data)
+
+    # Check if we got a permanent cookie with expected expiry date.
+    # Allow 1 second difference to account for timing issues
+    # between the request and current time.
+    expected_persistent = local_time + config.getint(
+        "options", "persistent_cookie_timeout"
+    )
+    assert "AURSID" in resp.cookies
+    for cookie in resp.cookies.jar:
+        if cookie.name in "AURSID":
+            assert abs(cookie.expires - expected_persistent) < 2
+
+
+def test_cookie_language(client: TestClient, user: User):
+    # Unauthenticated reqeuests should set AURLANG cookie
+    data = {"set_lang": "en", "next": "/"}
+    with client as request:
+        resp = request.post("/language", data=data)
+
+    local_time = int(datetime.now().timestamp())
+    expected_permanent = local_time + config.getint(
+        "options", "permanent_cookie_timeout"
+    )
+
+    # Make sure we got an AURLANG cookie
+    assert "AURLANG" in resp.cookies
+    assert resp.cookies.get("AURLANG") == "en"
+
+    # Check if we got a permanent cookie with expected expiry date.
+    # Allow 1 second difference to account for timing issues
+    # between the request and current time.
+    for cookie in resp.cookies.jar:
+        if cookie.name in "AURLANG":
+            assert abs(cookie.expires - expected_permanent) < 2
+
+    # Login and change the language
+    # We should not get a cookie since we store
+    # our language setting in the DB anyways
+    sid = user.login(Request(), "testPassword")
+    data = {"set_lang": "en", "next": "/"}
+    with client as request:
+        request.cookies = {"AURSID": sid}
+        resp = request.post("/language", data=data)
+
+    assert "AURLANG" not in resp.cookies