init CTFd source

2025-12-25 09:39:21 +08:00
commit 2e06f92c64
1047 changed files with 150349 additions and 0 deletions
--- a/tests/api/v1/test_tokens.py
+++ b/tests/api/v1/test_tokens.py
@@ -0,0 +1,123 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+import datetime
+
+from CTFd.models import Tokens, Users
+from CTFd.schemas.tokens import TokenSchema
+from CTFd.utils.security.auth import generate_user_token
+from tests.helpers import create_ctfd, destroy_ctfd, gen_user, login_as_user
+
+
+def test_api_tag_list_post():
+    """Can a user create a token"""
+    app = create_ctfd()
+    with app.app_context():
+        user = gen_user(app.db, name="user")
+        user_id = user.id
+        with login_as_user(app) as client:
+            r = client.post("/api/v1/tokens", json={})
+            assert r.status_code == 200
+            resp = r.get_json()
+            value = resp["data"]["value"]
+            token = Tokens.query.filter_by(value=value).first()
+            assert token.user_id == user_id
+            assert token.expiration > datetime.datetime.utcnow()
+
+            data = {"expiration": "9999-12-30"}
+            r = client.post("/api/v1/tokens", json=data)
+            assert r.status_code == 200
+            resp = r.get_json()
+            value = resp["data"]["value"]
+            token = Tokens.query.filter_by(value=value).first()
+            assert token.user_id == user_id
+            assert token.expiration.year == 9999
+    destroy_ctfd(app)
+
+
+def test_api_tag_list_get():
+    """Can a user get /api/v1/tokens"""
+    app = create_ctfd()
+    with app.app_context():
+        user = gen_user(app.db, name="user")
+        generate_user_token(user)
+
+        user2 = gen_user(app.db, name="user2", email="user2@examplectf.com")
+        generate_user_token(user2)
+        generate_user_token(user2)
+        with login_as_user(app) as client:
+            r = client.get("/api/v1/tokens", json="")
+            assert r.status_code == 200
+            resp = r.get_json()
+            assert len(resp["data"]) == 1
+
+        with login_as_user(app, name="user2") as client:
+            r = client.get("/api/v1/tokens", json="")
+            assert r.status_code == 200
+            resp = r.get_json()
+            assert len(resp["data"]) == 2
+    destroy_ctfd(app)
+
+
+def test_api_tag_detail_get():
+    """Can a user get /api/v1/tokens/<token_id>"""
+    app = create_ctfd()
+    with app.app_context():
+        user = gen_user(app.db, name="user")
+        generate_user_token(user)
+
+        with login_as_user(app) as client:
+            r = client.get("/api/v1/tokens/1", json="")
+            assert r.status_code == 200
+            resp = r.get_json()
+            assert sorted(resp["data"].keys()) == sorted(TokenSchema().views["user"])
+
+        with login_as_user(app, "admin") as client:
+            r = client.get("/api/v1/tokens/1", json="")
+            assert r.status_code == 200
+            resp = r.get_json()
+            assert sorted(resp["data"].keys()) == sorted(TokenSchema().views["admin"])
+
+        gen_user(app.db, name="user2", email="user2@examplectf.com")
+        with login_as_user(app, "user2") as client:
+            r = client.get("/api/v1/tokens/1", json="")
+            assert r.status_code == 404
+    destroy_ctfd(app)
+
+
+def test_api_token_delete():
+    """Can tokens be deleted by owners, and admins"""
+    app = create_ctfd()
+    with app.app_context():
+        # Can be deleted by the user
+        user = gen_user(app.db)
+        user_id = user.id
+        username = user.name
+        token = generate_user_token(user)
+        token_id = token.id
+        with login_as_user(app, username) as client:
+            r = client.delete("/api/v1/tokens/" + str(token_id), json="")
+            assert r.status_code == 200
+            assert Tokens.query.count() == 0
+
+        # Can be deleted by admins
+        user = Users.query.filter_by(id=user_id).first()
+        token = generate_user_token(user)
+        token_id = token.id
+        with login_as_user(app, "admin") as client:
+            r = client.delete("/api/v1/tokens/" + str(token_id), json="")
+            assert r.status_code == 200
+            assert Tokens.query.count() == 0
+
+        # First user
+        first_user = Users.query.filter_by(id=user_id).first()
+        token = generate_user_token(first_user)
+        token_id = token.id
+        # Second user
+        second_user = gen_user(app.db, name="user2", email="user2@examplectf.com")
+        username2 = second_user.name
+        with login_as_user(app, username2) as client:
+            r = client.delete("/api/v1/tokens/" + str(token_id), json="")
+            assert r.status_code == 404
+            assert Tokens.query.count() == 1
+    destroy_ctfd(app)