2

I'm trying to write test cases for my class views that are secure behind django-two-factor-auth OTPRequiredMixin. I'm not sure how to write the setUp function to fully authenticate the user through OTP. I've tried self.client.force_login() but when I try to browse to that url in my test function, I am landing on the "Permission Denied" page that prompts to enable two-factor authentication for the user, instead of the expected url.

Permission Denied

The page you requested, enforces users to verify using two-factor authentication for security reasons. You need to enable these security features in order to access this page.

Two-factor authentication is not enabled for your account. Enable two-factor authentication for enhanced account security.

Here's an example of one of the class views:

class ProjectCreateView(OTPRequiredMixin, CreateView):
    model = Project
    template_name = 'project_create.html'
    fields = ['name', 'description']

And here's an example of my setup and a test:

class ProjectTestCase(TestCase):
    def setUp(self):
        self.user = get_user_model().objects.create(
            username='jsmith', first_name='John', last_name='Smith', email='johnsmith@test.com', password='secure'
        )
        [...]
        self.client.force_login(self.user)

    def test_project_create(self):
        response = self.client.post(
            '/project/create/', {'name': 'Test Project', 'description': 'A basic test project'}
        )
        self.assertEqual(response.status_code, 200)
Sunderam Dubey
  • 1
  • 11
  • 20
  • 40
damonmickelsen
  • 43
  • 4
  • You don't need to have two factor auths in your test environment. I suggest you maintain some configuration for your test where you use the default django authenticator (see: [this question](https://stackoverflow.com/questions/913549/how-to-unit-test-with-different-settings-in-django) for different settings for tests) – Nicolas Appriou Jun 30 '22 at 06:41
  • @NicolasAppriou; it is a bit strong to say that you do not need to test with MFA login. I have a similar question; I do not care what the second factor is, but some of my views require a second factor and others do not. How do I test for this difference? – Patrick Aug 18 '22 at 12:44

1 Answers1

1

I spent a while looking through the django-two-factor-auth source code to figure this out.

https://github.com/jazzband/django-two-factor-auth/blob/d7abfd74363ba27ceb5ea3c61a8784ebffb46c6c/tests/test_views_login.py#L21

The "test_with_backup_token" is where I found an example of what appears to be working for me. It basically creates a backup token and then uses it to complete 2FA authentication.



from django_otp.util import random_hex



# Create your tests here.
class WonderfulTestCase(TestCase):

    def setUp(self):

       # username, email, password
       self.cool_user = User.objects.create_user("bob_is_cool", 
                                                 "bob@hotmail.com", 
                                                 "super_cool_password")

        # create OTP stuff including a backup token
        self.cool_user.totpdevice_set.create(name='default', key=random_hex())
        device = self.cool_user.staticdevice_set.create(name='backup')
        device.token_set.create(token='abcdef123')

        # first auth step
        response = self.client.post(reverse('two_factor:login'), {'auth-username': "bob_is_cool", 'auth-password': "super_cool_password", 'login_view-current_step': 'auth'})

        # go to backup step
        response = self.client.post(reverse('two_factor:login'), {'wizard_goto_step': 'backup'})

        # Valid token should be accepted.
        response = self.client.post(reverse('two_factor:login'), {'backup-otp_token': 'abcdef123', 'login_view-current_step': 'backup'})
kdawg
  • 11
  • 3