fix error related to mutating data while validating the challenge

2020-05-12 17:50:40 +01:00 · 2020-05-12 17:50:40 +01:00 · 5cba97f144
parent 62bb8d9e62
commit 5cba97f144
4 changed files with 38 additions and 10 deletions
--- a/django_cryptolock/forms.py
+++ b/django_cryptolock/forms.py
@ -32,13 +32,14 @@ class ChallengeMixin(forms.Form):
            self.initial["challenge"] = new_challenge

    def clean_challenge(self):
-        challenge_uri = urlparse(self.cleaned_data.get("challenge"))
+        challenge = self.cleaned_data.get("challenge")
+        challenge_uri = urlparse(challenge)
        query = parse_qs(challenge_uri.query)
        if not query.get("x"):
            raise forms.ValidationError(_("Invalid or outdated challenge"))

-        challenge = query["x"][0]
-        if not challenge or not Challenge.objects.is_active(challenge):
+        token = query["x"][0]
+        if not token or not Challenge.objects.is_active(token):
            raise forms.ValidationError(_("Invalid or outdated challenge"))

        return challenge
@ -51,7 +52,7 @@ class SimpleLoginForm(ChallengeMixin, forms.Form):
    signature = forms.CharField()

    error_messages = {
-        "invalid_login": _("Please enter a correct Monero address or signature."),
+        "invalid_login": _("Please enter a correct address or signature."),
        "inactive": _("This account is inactive."),
    }

--- a/django_cryptolock/utils.py
+++ b/django_cryptolock/utils.py
@ -33,7 +33,6 @@ def verify_bitcoin_signature(
        warnings.warn(_("Please configure the bitcoin network in the settings file"))
    is_testnet = True if network == "testnet" else False
    callback_uri = request.build_absolute_uri()
-
    return bitid.challenge_valid(
        address, signature, challenge, callback_uri, is_testnet
    )
--- a/example/example/settings.py
+++ b/example/example/settings.py
@ -121,7 +121,7 @@ LOGOUT_REDIRECT_URL = "/"

 AUTHENTICATION_BACKENDS = [
    "django_cryptolock.backends.BitcoinAddressBackend",
-    "django_cryptolock.backends.MoneroAddressBackend",
+    # "django_cryptolock.backends.MoneroAddressBackend",
 ]
 DJCL_BITCOIN_NETWORK = "mainnet"
 DJCL_MONERO_NETWORK = "mainnet"
--- a/tests/test_forms.py
+++ b/tests/test_forms.py
@ -200,9 +200,37 @@ def test_simplesignupform_invalid_addr():
    assert "Invalid address" in form.errors["address"]


-# def test_simplesignupform_invalid_challenge():
-#     pass
+def test_simplesignupform_invalid_challenge(settings):
+    set_bitcoin_settings(settings)
+    mommy.make(Challenge, challenge="12345678", expires=FUTURE_TIME)
+
+    request = MagicMock()
+    request.build_absolute_uri.return_value = "http://something/"
+    form = SimpleSignUpForm(
+        request=request,
+        data={
+            "username": "foo",
+            "address": VALID_BITCOIN_ADDRESS,
+            "challenge": gen_challenge(request, "1234567"),
+            "signature": "some valid signature",
+        },
+    )
+    assert not form.is_valid()


-# def test_simple_signupform_expired_challenge():
-#     pass
+def test_simplesignupform_expired_challenge(settings):
+    set_bitcoin_settings(settings)
+    mommy.make(Challenge, challenge="12345678", expires=timezone.now())
+
+    request = MagicMock()
+    request.build_absolute_uri.return_value = "http://something/"
+    form = SimpleSignUpForm(
+        request=request,
+        data={
+            "username": "foo",
+            "address": VALID_BITCOIN_ADDRESS,
+            "challenge": gen_challenge(request, "12345678"),
+            "signature": "some valid signature",
+        },
+    )
+    assert not form.is_valid()