I have a suite of tests that I wrote while my app was using Django's default authentication, but now I've added Atlassian Crowd as the authentication method and those tests now fail, mainly because the Crowd server isn't there when I want to run my tests from home.
Each app has this in it's Setup() method
def setUp(self):
"""Set up the shared test data."""
self.client.login(username='admin', password='letmein')
I'm working around it at the moment by commenting out the AUTHENTICATION_BACKENDS, but that isn't going to work on the CI server.
I don't think the error I'm getting is important, but for completeness:
URLError: <urlopen error [Errno 8] nodename nor servname provided, or not known>
I've tried adding both auth backends into AUTHENTICATION_BACKENDS and I still get the same results.
What are my options for getting these tests to pass?
Is there any way to force the user to be logged in? Can I mock the auth object somehow?
Could I put some check around the AUTHENTICATION_BACKENDS section in setting to check if it's running in test mode? but then I'm writing special cases for my tests and that kind of defeats the object.
You could change the AUTHENTICATION_BACKENDS setting in the setUp method, then change it back in tearDown. This question's accepted answer has an example just that, but with a different setting.
Related
I've developed a web app that includes the functionality for users to log in and signup. I've done everything as per documentation and tutorials, and everything works fine with the flask server.
The issue is: I use gunicorn and start a web server, open the address (localhost:8000) on few different browsers (Brave and Firefox on Linux, and Brave on Android), I can only log in (Single or multiple different users) from only one client. When I try to do so from another one, it throws 400 Bad Request (CSRF Session token missing or CSRF Session tokens do no match).
Now, this doesn't happen when using Flasks Server. It only happens while using gunicorn.
I've deployed the application to Heroku (Using the Free plan), and I want multiple users to sign in at the same time. This happens on all of the other forms my app has.
All environment variables, secret keys are correctly configured, everything works as intended when using Flask Server. Using Gunicorn doesn't cause any other issues except this. Sometimes, logging in from a single client doesn't work too.
Any help would be appreciated. I've already looked at other threads/questions that were related, but they didn't mention the problem I have
Sorry for the late reply (Maybe it can help someone in the future)
The short answer :
use :
with app.app_context():
your code
instead of :
app.app_context().push()
which is never closed
The long answer :
I guess you use Flask-WTF for managing CSRF,
If yes, there is an if bloc (https://github.com/wtforms/flask-wtf/blob/0.15.x/src/flask_wtf/csrf.py#L53) in the generate_csrf function, which check the flask g variable before generating a new CSRF token. It works perfectly, but when the g variable doesn't reinitilize on each new request (see below for the cause) it creates a conflict between the different users trying to log in.
The principal cause of not reinitilizing the flask g variable is an app context which is pushed manually (usually by : app.app_context().push()) but not closed, in this case the app context is never torn down see : Flask app.teardown_appcontext not being called when DEBUG is false
Finally, i think there is something in the flask DEBUG mode, which force tearing down the app context and reinitilize the g variable.
I am building a simple web app using React.js for the frontend and Django for the server side.
Thus frontend.herokuapp.com and backend.herokuapp.com.
When I attempt to make calls to my API through the react app the cookie that was received from the API is not sent with the requests.
I had expected that I would be able to support this configuration without having to do anything special since all server-side requests would (I thought) be made by the JS client app directly to the backend process with their authentication cookies attached.
In an attempt to find a solution that I thought would work I attempted to set
SESSION_COOKIE_DOMAIN = "herokuapp.com"
Which while less than ideal (as herokuapp.com is a vast domain) in Production would seem to be quite safe as they would then be on api.myapp.com and www.myapp.com.
However, with this value set in settings.py I get an AuthStateMissing when hitting my /oauth/complete/linkedin-oauth2/ endpoint.
Searching google for AuthStateMissing SESSION_COOKIE_DOMAIN yields one solitary result which implies that the issue was reported as a bug in Django social auth and has since been closed without further commentary.
Any light anyone could throw would be very much appreciated.
I ran into the exact same problem while using herokuapp.com.
I even posted a question on SO here.
According to Heroku documentation:
In other words, in browsers that support the functionality, applications in the herokuapp.com domain are prevented from setting cookies for *.herokuapp.com
Heroku blocks cookies from frontend.herokuapp.com and backend.herokuapp.com
You need to add a custom domain to frontend.herokuapp.com and backend.herokuapp.com
The entire answer https://stackoverflow.com/a/54513216/1501643
I am writing tests for my django application views and i am a beginner at this. I know that before running tests a new database is generated which only contains data that is being created at the time of running of tests but in my view's tests i am making API calls by url on my server which is using my default database not the test database in following way.
def test_decline_activity_valid_permission(self):
url = 'http://myapp:8002/api/v1/profile/' + self.profileUUID + '/document/' + \
self.docUUID + '/decline/'
response = requests.post(
url,
data=json.dumps(self.payload_valid_permission),
headers=self.headers,
)
self.assertEquals(response.status_code, status.HTTP_201_CREATED)
i want to know that if we can use test database for our testing our views or not. And what is difference between using request and using Client?
You could try using Django's LiveServerTestCase. That works like TransactionTestCase but will start up a server on localhost pointing at the test database. It gets started/stopped at the beginning/end of each test.
You could then configure the URL in your test to point at that local server. Django provides self.live_server_url for accessing the URL of the server.
As mentioned in the comments, Django's test client allows you to test views without making real HTTP requests. Whereas the requests library that you're using in your test, will send and receive real HTTP request and responses.
I have a GWTP application (app1) calling another GWTP application (app2). The first sets a SecurityCookie as the second one.
If app1 is on new session, and this opens app2, everything works. If I close my browser and turn on app1 in new session without wiping the browser cache, app1 calls app2 and prints the following error:
SEVERE: Cookie provided by RPC does not match request cookie, aborting
action, possible XSRF attack. (Maybe you forgot to set the security
cookie?)
Without more info it's hard to provide an exact solution, but this is a known issue in GWTP, because the RandomSecuritySessionFilter changes the cookie each time a new RPC request is issued.
See this github issue here. It's rather long but worth the read if you want to understand the problem.
In my own app I dispatch about 5 async RPC calls at once and kept getting the same error as you in development mode, but much more rarely in production (due to the development server being so fast that calls return in a much more random fashion). So as a hack I turned off the cookie in development mode because it was making my life so difficult.
I am troubleshooting a Django app.
Recently the app seems to Randomly generate CSRF verification errors:
CSRF verification failed. Request aborted.
(Resulting in a 403)
Where can I find detailed information on the cause of the verification failure?
The error you're seeing is on the client side - which won't by default know what's going wrong on your server unless you have set DEBUG = True (which you don't want to do in production).
If it was replicable on your staging server it would be easy to fix, since you could replicate the error with DEBUG = True on staging and quickly see where the verification fails in Django's csrf.py.
What you're looking for is the output of which of these error is occurring on your server.
If you implement logging in Django you'll be able to investigate and determine which of these errors was triggered on your production site. A service like Sentry makes this even simpler since it will send you the traceback anytime an error happens.