BTHLABS-50: Safari Web extension

Co-authored-by: Tomek Wójcik <labs@tomekwojcik.pl>
Co-committed-by: Tomek Wójcik <labs@tomekwojcik.pl>

services/backend/tests/ui/views/rpc/accounts/access_tokens/test_create.py

@@ -0,0 +1,154 @@
+# -*- coding: utf-8 -*-
+# type: ignore
+from __future__ import annotations
+
+import http
+import uuid
+
+from django.test import Client
+from django.urls import reverse
+import pytest
+
+from hotpocket_backend_testing.services.accounts import (
+    AccessTokensTestingService,
+)
+
+
+@pytest.fixture
+def origin():
+    return f'safari-web-extension://{uuid.uuid4()}'
+
+
+@pytest.fixture
+def auth_key():
+    return str(uuid.uuid4())
+
+
+@pytest.fixture
+def meta():
+    return {
+        'platform': 'MacIntel',
+        'version': '1987.10.03',
+    }
+
+
+@pytest.fixture
+def call(rpc_call_factory, auth_key, meta):
+    return rpc_call_factory(
+        'accounts.access_tokens.create',
+        [auth_key, meta],
+    )
+
+
+@pytest.mark.django_db
+def test_ok(authenticated_client: Client,
+            auth_key,
+            call,
+            origin,
+            account,
+            meta,
+            ):
+    # Given
+    session = authenticated_client.session
+    session['extension_auth_key'] = auth_key
+    session.save()
+
+    # When
+    result = authenticated_client.post(
+        reverse('ui.rpc'),
+        data=call,
+        content_type='application/json',
+        headers={
+            'Origin': origin,
+        },
+    )
+
+    # Then
+    assert result.status_code == http.HTTPStatus.OK
+
+    call_result = result.json()
+    assert 'error' not in call_result
+
+    AccessTokensTestingService().assert_created(
+        key=call_result['result'],
+        account_uuid=account.pk,
+        origin=origin,
+        meta=meta,
+    )
+
+    assert 'extension_auth_key' not in authenticated_client.session
+
+
+@pytest.mark.django_db
+def test_auth_key_missing(authenticated_client: Client,
+                          call,
+                          origin,
+                          ):
+    # When
+    result = authenticated_client.post(
+        reverse('ui.rpc'),
+        data=call,
+        content_type='application/json',
+        headers={
+            'Origin': origin,
+        },
+    )
+
+    # Then
+    assert result.status_code == http.HTTPStatus.OK
+
+    call_result = result.json()
+    assert 'error' in call_result
+    assert call_result['error']['data'] == 'Auth key missing'
+
+
+@pytest.mark.django_db
+def test_auth_key_mismatch(authenticated_client: Client,
+                           call,
+                           origin,
+                           ):
+    # Given
+    session = authenticated_client.session
+    session['extension_auth_key'] = 'thisisntright'
+    session.save()
+
+    # When
+    result = authenticated_client.post(
+        reverse('ui.rpc'),
+        data=call,
+        content_type='application/json',
+        headers={
+            'Origin': origin,
+        },
+    )
+
+    # Then
+    assert result.status_code == http.HTTPStatus.OK
+
+    call_result = result.json()
+    assert 'error' in call_result
+    assert call_result['error']['data'] == 'Auth key mismatch'
+
+
+@pytest.mark.django_db
+def test_inactive_account(inactive_account_client: Client, call):
+    # When
+    result = inactive_account_client.post(
+        reverse('ui.rpc'),
+        data=call,
+    )
+
+    # Then
+    assert result.status_code == http.HTTPStatus.FORBIDDEN
+
+
+@pytest.mark.django_db
+def test_anonymous(client: Client, call):
+    # When
+    result = client.post(
+        reverse('ui.rpc'),
+        data=call,
+    )
+
+    # Then
+    assert result.status_code == http.HTTPStatus.FORBIDDEN

services/backend/tests/ui/views/rpc/accounts/auth/test_check.py

@@ -0,0 +1,157 @@
+# -*- coding: utf-8 -*-
+# type: ignore
+from __future__ import annotations
+
+import http
+
+from django.test import Client
+from django.urls import reverse
+import pytest
+
+
+@pytest.fixture
+def call(rpc_call_factory):
+    return rpc_call_factory(
+        'accounts.auth.check',
+        [],
+    )
+
+
+@pytest.mark.django_db
+def test_ok_session_auth(authenticated_client: Client,
+                         call,
+                         ):
+    # When
+    result = authenticated_client.post(
+        reverse('ui.rpc'),
+        data=call,
+        content_type='application/json',
+    )
+
+    # Then
+    assert result.status_code == http.HTTPStatus.OK
+
+    call_result = result.json()
+    assert 'error' not in call_result
+    assert call_result['result'] is True
+
+
+@pytest.mark.django_db
+def test_session_auth_inactive_account(inactive_account_client: Client,
+                                       call,
+                                       ):
+    # When
+    result = inactive_account_client.post(
+        reverse('ui.rpc'),
+        data=call,
+    )
+
+    # Then
+    assert result.status_code == http.HTTPStatus.FORBIDDEN
+
+
+@pytest.mark.django_db
+def test_ok_access_token_auth(client: Client,
+                              call,
+                              access_token_out,
+                              ):
+    # When
+    result = client.post(
+        reverse('ui.rpc'),
+        data=call,
+        content_type='application/json',
+        headers={
+            'Authorization': f'Bearer {access_token_out.key}',
+        },
+    )
+
+    # Then
+    assert result.status_code == http.HTTPStatus.OK
+
+    call_result = result.json()
+    assert 'error' not in call_result
+    assert call_result['result'] is True
+
+
+@pytest.mark.django_db
+def test_access_token_auth_not_bearer(client: Client,
+                                      call,
+                                      access_token_out,
+                                      ):
+    # When
+    result = client.post(
+        reverse('ui.rpc'),
+        data=call,
+        headers={
+            'Authorization': f'thisisntright {access_token_out.key}',
+        },
+    )
+
+    # Then
+    assert result.status_code == http.HTTPStatus.FORBIDDEN
+
+
+@pytest.mark.django_db
+def test_access_token_auth_invalid_access_token(client: Client,
+                                                call,
+                                                null_uuid,
+                                                ):
+    # When
+    result = client.post(
+        reverse('ui.rpc'),
+        data=call,
+        headers={
+            'Authorization': f'Bearer {null_uuid}',
+        },
+    )
+
+    # Then
+    assert result.status_code == http.HTTPStatus.FORBIDDEN
+
+
+@pytest.mark.django_db
+def test_access_token_auth_deleted_access_token(client: Client,
+                                                call,
+                                                deleted_access_token,
+                                                ):
+    # When
+    result = client.post(
+        reverse('ui.rpc'),
+        data=call,
+        headers={
+            'Authorization': f'Bearer {deleted_access_token.key}',
+        },
+    )
+
+    # Then
+    assert result.status_code == http.HTTPStatus.FORBIDDEN
+
+
+@pytest.mark.django_db
+def test_access_token_auth_inactive_account(client: Client,
+                                            call,
+                                            inactive_account_access_token,
+                                            ):
+    # When
+    result = client.post(
+        reverse('ui.rpc'),
+        data=call,
+        headers={
+            'Authorization': f'Bearer {inactive_account_access_token.key}',
+        },
+    )
+
+    # Then
+    assert result.status_code == http.HTTPStatus.FORBIDDEN
+
+
+@pytest.mark.django_db
+def test_anonymous(client: Client, call):
+    # When
+    result = client.post(
+        reverse('ui.rpc'),
+        data=call,
+    )
+
+    # Then
+    assert result.status_code == http.HTTPStatus.FORBIDDEN