moggers87
commented
2 years ago Hmm, that's rather odd. What you're doing is basically what we do with Inboxen and that works fine.
I'll look into this more and see if I can reproduce.
Open hanckmann opened 2 years ago
moggers87
commented
2 years ago Hmm, that's rather odd. What you're doing is basically what we do with Inboxen and that works fine.
I'll look into this more and see if I can reproduce.
moggers87
commented
2 years ago In fact, it's the same pattern we use on django-two-factor-auth itself: https://github.com/jazzband/django-two-factor-auth/blob/f427f59c03ba091cd1025ad304535e697492b0eb/tests/utils.py#L33-L40
hanckmann
commented
2 years ago Just to be sure I am not doing anything stupid... this is the full method I use for creating users and logging them in.
def create_default_users(self):
self.user1 = self.create_user(username="test1", email='test1@voorbeeld.nl')
self.user2 = self.create_user(username="test2", email='test2@example.com')
self.user3 = self.create_user(username="test3", email='test3@ejemplo.es')
self.superuser = self.create_user(
username="su",
email="su@test.nl",
is_staff=True,
is_superuser=True,
)
def create_user(self, username, password=None, email=None, is_staff=False, is_superuser=False, is_active=True):
if not password:
password = self.default_password
if not email:
email = f'{username}@test.nl'
return User.objects.create(
username=username,
password=password,
email=email,
is_staff=is_staff,
is_superuser=is_superuser,
is_active=is_active
)
def authenticate_user(self, user=None, mfa=False):
self.client.logout()
if user:
self.client.login(username=user.get_username(), password=self.default_password)
if mfa:
device = StaticDevice.objects.get_or_create(user=user)[0]
user.otp_device = device.persistent_id
user.save()
self.client.session[DEVICE_ID_SESSION_KEY] = device.persistent_id
self.client.session.save()Many of my endpoints are secured using custom permissions. One of the permissions I use (and returns False in tests for the superuser created and logged in as above) is:
class IsAdmin(permissions.BasePermission):
def has_permission(self, request, view):
return bool(request.user and request.user.is_staff and request.user.is_verified())I have checked and noticed that the request.user.is_verified() always returns False.
A lot of my tests are failing, so I do hope I can resolve this and understand where I go wrong... and notice that this only goes wrong during testing. The code works when testing manually.
hanckmann
commented
2 years ago Also, I am not sure if it might be related to: #518
Note that in my case the user does not switch between subdomains. So the cookie should be valid for only that specific subdomain. Hence, I have not changed the SESSION_COOKIE_DOMAIN value (it is not explicitly set in my configs).
Therefore I do not think the issues are related, but I want to be sure.
I have seen this issue, but the solution does not (seem to) work for me (anymore): #244
In my application users are onlly required to provide a second factor for the "admin site" and for a number of specific end-points. Therefore, during testing (pytest), I need to login a user with and without providing a second factor.
How do I do this?
My current approach, based on the answer in #244 , works as follows:
However, during tests the string "mfa set" is printed, but the endpoints return a 403 error. Manual testing confirms that the issue is in my test (or actually my authentication during the test).
Your Environment