django-mfa3: multi factor authentication for django

commit: 5c8f3f304173d1cd3bc7b7fb5e45847b77d7932b
parent: 166c07d8d2f24871c95cede32b5b01ad21ff5fcf
Author: Tobias Bengfort <tobias.bengfort@posteo.de>
Date: 2023-04-13 06:16

test _get_verify_origin_fn

Diffstat

M	mfa/methods/fido2.py	9	++++-----
M	tests/tests.py	23	+++++++++++++++++++++++

2 files changed, 27 insertions, 5 deletions

diff --git a/mfa/methods/fido2.py b/mfa/methods/fido2.py

@@ -16,8 +16,7 @@ from .. import settings
   16    16 
   17    17 name = 'FIDO2'
   18    18 
   19    -1 
   20    -1 def _get_verify_origin_fn():
   -1    19 def _get_verify_origin_fn(domain):
   21    20     """Do not require https on localhost in DEBUG mode.
   22    21 
   23    22     See https://github.com/Yubico/python-fido2/issues/122
@@ -28,9 +27,9 @@ def _get_verify_origin_fn():
   28    27         return any(is_same_domain(hostname, h) for h in allowed_hosts)
   29    28 
   30    29     def verify_localhost_origin(origin):
   31    -1         return urlparse(origin).hostname == settings.DOMAIN
   -1    30         return urlparse(origin).hostname == domain
   32    31 
   33    -1     if django_settings.DEBUG and is_localhost(settings.DOMAIN):
   -1    32     if django_settings.DEBUG and is_localhost(domain):
   34    33         return verify_localhost_origin
   35    34     else:
   36    35         return None
@@ -38,7 +37,7 @@ def _get_verify_origin_fn():
   38    37 
   39    38 fido2 = Fido2Server(
   40    39     PublicKeyCredentialRpEntity(id=settings.DOMAIN, name=settings.SITE_TITLE),
   41    -1     verify_origin=_get_verify_origin_fn(),
   -1    40     verify_origin=_get_verify_origin_fn(settings.DOMAIN),
   42    41 )
   43    42 
   44    43

diff --git a/tests/tests.py b/tests/tests.py

@@ -3,6 +3,7 @@ from django.contrib.auth.hashers import make_password
    3     3 from django.contrib.auth.models import User
    4     4 from django.core import mail
    5     5 from django.test import TestCase
   -1     6 from fido2.server import _verify_origin_for_rp
    6     7 
    7     8 from mfa.mail import send_mail
    8     9 from mfa.methods import fido2
@@ -192,6 +193,28 @@ class FIDO2Test(MFATestCase):
  192   193     def test_decode(self):
  193   194         self.assertEqual(fido2.decode('a163666f6f820102'), {'foo': [1, 2]})
  194   195 
   -1   196     def test_origin_https(self):
   -1   197         for debug, domain, value, expected in [
   -1   198             (False, 'example.com', 'https://example.com', True),
   -1   199             (False, 'example.com', 'http://example.com', False),
   -1   200             (False, 'example.com', 'http://localhost:8000', False),
   -1   201             (False, 'localhost', 'http://localhost:8000', False),
   -1   202             (True, 'localhost', 'https://example.com', False),
   -1   203             (True, 'localhost', 'http://localhost:8000', True),
   -1   204             (True, 'localhost', 'http://127.0.0.1', False),
   -1   205             (True, 'localhost', 'http://foo.localhost', False),
   -1   206             (True, '127.0.0.1', 'http://127.0.0.1', True),
   -1   207             (True, 'foo.localhost', 'http://foo.localhost', True),
   -1   208             (True, 'example.com', 'http://example.com', False),
   -1   209         ]:
   -1   210             with self.subTest(debug=debug, domain=domain, value=value):
   -1   211                 with self.settings(DEBUG=debug, MFA_DOMAIN=domain):
   -1   212                     verify = (
   -1   213                         fido2._get_verify_origin_fn(domain)
   -1   214                         or _verify_origin_for_rp(domain)
   -1   215                     )
   -1   216                     self.assertEqual(verify(value), expected)
   -1   217 
  195   218 
  196   219 class RecoveryTest(MFATestCase):
  197   220     def test_create(self):