admin/CTFd
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
main
CTFd/tests/users/test_auth.py
gkr 2e06f92c64
Some checks are pending
Linting / Linting (3.11) (push) Waiting to run
Details
Mirror core-theme / mirror (push) Waiting to run
Details
init CTFd source
2025-12-25 09:39:21 +08:00

838 lines
29 KiB
Python
Raw Permalink Blame History

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from unittest.mock import patch
from freezegun import freeze_time
from CTFd.models import Users, db
from CTFd.utils import get_config, set_config
from CTFd.utils.crypto import verify_password
from tests.helpers import create_ctfd, destroy_ctfd, login_as_user, register_user
def test_register_user():
"""Can a user be registered"""
app = create_ctfd()
with app.app_context():
register_user(app)
user_count = Users.query.count()
assert user_count == 2 # There's the admin user and the created user
destroy_ctfd(app)
def test_register_unicode_user():
"""Can a user with a unicode name be registered"""
app = create_ctfd()
with app.app_context():
register_user(app, name="你好")
user_count = Users.query.count()
assert user_count == 2 # There's the admin user and the created user
destroy_ctfd(app)
def test_register_duplicate_username():
"""A user shouldn't be able to use an already registered team name"""
app = create_ctfd()
with app.app_context():
register_user(
app,
name="user1",
email="user1@examplectf.com",
password="password",
raise_for_error=False,
)
register_user(
app,
name="user1",
email="user2@examplectf.com",
password="password",
raise_for_error=False,
)
register_user(
app,
name="admin ",
email="admin2@examplectf.com",
password="password",
raise_for_error=False,
)
user_count = Users.query.count()
assert user_count == 2 # There's the admin user and the first created user
destroy_ctfd(app)
def test_register_duplicate_email():
"""A user shouldn't be able to use an already registered email address"""
app = create_ctfd()
with app.app_context():
register_user(
app,
name="user1",
email="user1@examplectf.com",
password="password",
raise_for_error=False,
)
register_user(
app,
name="user2",
email="user1@examplectf.com",
password="password",
raise_for_error=False,
)
user_count = Users.query.count()
assert user_count == 2 # There's the admin user and the first created user
destroy_ctfd(app)
def test_register_whitelisted_email():
"""A user shouldn't be able to register with an email that isn't on the whitelist"""
app = create_ctfd()
with app.app_context():
set_config(
"domain_whitelist", "whitelisted.com, whitelisted.org, whitelisted.net"
)
register_user(
app, name="not_whitelisted", email="user@nope.com", raise_for_error=False
)
assert Users.query.count() == 1
register_user(app, name="user1", email="user@whitelisted.com")
assert Users.query.count() == 2
register_user(app, name="user2", email="user@whitelisted.org")
assert Users.query.count() == 3
register_user(app, name="user3", email="user@whitelisted.net")
assert Users.query.count() == 4
destroy_ctfd(app)
def test_register_blacklisted_email():
"""A user shouldn't be able to register with an email that is on the blacklist"""
app = create_ctfd()
with app.app_context():
set_config(
"domain_blacklist", "blacklisted.com, blacklisted.org, blacklisted.net"
)
register_user(
app, name="blacklisted", email="user@blacklisted.com", raise_for_error=False
)
assert Users.query.count() == 1
register_user(app, name="user1", email="user@yep.com")
assert Users.query.count() == 2
register_user(app, name="user2", email="user@yay.org")
assert Users.query.count() == 3
register_user(app, name="user3", email="user@yipee.net")
assert Users.query.count() == 4
destroy_ctfd(app)
def test_user_bad_login():
"""A user should not be able to login with an incorrect password"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(
app, name="user", password="wrong_password", raise_for_error=False
)
with client.session_transaction() as sess:
assert sess.get("id") is None
r = client.get("/profile")
assert r.location.startswith("/login") # We got redirected to login
destroy_ctfd(app)
def test_user_login():
"""Can a registered user can login"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
r = client.get("/profile")
assert r.location is None # We didn't get redirected to login
assert r.status_code == 200
destroy_ctfd(app)
def test_user_login_with_email():
"""Can a registered user can login with an email address instead of a team name"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app, name="user@examplectf.com", password="password")
r = client.get("/profile")
assert r.location is None # We didn't get redirected to login
assert r.status_code == 200
destroy_ctfd(app)
def test_user_get_logout():
"""Can a registered user load /logout"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
client.get("/logout", follow_redirects=True)
r = client.get("/challenges")
assert r.location == "/login?next=%2Fchallenges%3F"
assert r.status_code == 302
destroy_ctfd(app)
def test_user_isnt_admin():
"""A registered user cannot access admin pages"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
for page in [
"pages",
"users",
"teams",
"scoreboard",
"challenges",
"statistics",
"config",
]:
r = client.get("/admin/{}".format(page))
assert r.location.startswith("/login?next=")
assert r.status_code == 302
destroy_ctfd(app)
def test_expired_confirmation_links():
"""Test that expired confirmation links are reported to the user"""
app = create_ctfd()
with app.app_context():
set_config("mail_server", "localhost")
set_config("mail_port", 25)
set_config("mail_useauth", True)
set_config("mail_username", "username")
set_config("mail_password", "password")
set_config("verify_emails", True)
register_user(app, email="user@user.com")
client = login_as_user(app, name="user", password="password")
# user@user.com "2012-01-14 03:21:34"
confirm_link = (
"http://localhost/confirm/bb8a8526146e50778b211ae63074595880edbc0b"
)
r = client.get(confirm_link)
assert (
"Your confirmation link is invalid, please generate a new one"
in r.get_data(as_text=True)
)
user = Users.query.filter_by(email="user@user.com").first()
assert user.verified is not True
destroy_ctfd(app)
def test_invalid_confirmation_links():
"""Test that invalid confirmation links are reported to the user"""
app = create_ctfd()
with app.app_context():
set_config("mail_server", "localhost")
set_config("mail_port", 25)
set_config("mail_useauth", True)
set_config("mail_username", "username")
set_config("mail_password", "password")
set_config("verify_emails", True)
register_user(app, email="user@user.com")
client = login_as_user(app, name="user", password="password")
# user@user.com "2012-01-14 03:21:34"
confirm_link = "http://localhost/confirm/a8375iyu<script>alert(1)<script>hn3048wueorighkgnsfg"
r = client.get(confirm_link)
assert (
"Your confirmation link is invalid, please generate a new one"
in r.get_data(as_text=True)
)
user = Users.query.filter_by(email="user@user.com").first()
assert user.verified is not True
destroy_ctfd(app)
def test_expired_reset_password_link():
"""Test that expired reset password links are reported to the user"""
app = create_ctfd()
with app.app_context():
set_config("mail_server", "localhost")
set_config("mail_port", 25)
set_config("mail_useauth", True)
set_config("mail_username", "username")
set_config("mail_password", "password")
register_user(app, name="user1", email="user@user.com")
with app.test_client() as client:
forgot_link = "http://localhost/reset_password/bb8a8526146e50778b211ae63074595880edbc0b"
r = client.get(forgot_link)
assert (
"Your reset link is invalid, please generate a new one"
in r.get_data(as_text=True)
)
destroy_ctfd(app)
def test_invalid_reset_password_link():
"""Test that invalid reset password links are reported to the user"""
app = create_ctfd()
with app.app_context():
set_config("mail_server", "localhost")
set_config("mail_port", 25)
set_config("mail_useauth", True)
set_config("mail_username", "username")
set_config("mail_password", "password")
register_user(app, name="user1", email="user@user.com")
with app.test_client() as client:
# user@user.com "2012-01-14 03:21:34"
forgot_link = "http://localhost/reset_password/5678ytfghjiu876tyfg<INVALID DATA>hvbnmkoi9u87y6trdf"
r = client.get(forgot_link)
assert (
"Your reset link is invalid, please generate a new one"
in r.get_data(as_text=True)
)
destroy_ctfd(app)
def test_contact_for_password_reset():
"""Test that if there is no mailserver configured, users should contact admins"""
app = create_ctfd()
with app.app_context():
register_user(app, name="user1", email="user@user.com")
with app.test_client() as client:
forgot_link = "http://localhost/reset_password"
r = client.get(forgot_link)
assert "contact an organizer" in r.get_data(as_text=True)
destroy_ctfd(app)
@patch("smtplib.SMTP")
def test_user_can_confirm_email(mock_smtp):
"""Test that a user is capable of confirming their email address"""
app = create_ctfd()
with app.app_context(), freeze_time("2012-01-14 03:21:34"):
# Set CTFd to only allow confirmed users and send emails
set_config("verify_emails", True)
set_config("mail_server", "localhost")
set_config("mail_port", 25)
set_config("mail_useauth", True)
set_config("mail_username", "username")
set_config("mail_password", "password")
register_user(app, name="user1", email="user@user.com")
# Teams are not verified by default
user = Users.query.filter_by(email="user@user.com").first()
assert user.verified is False
client = login_as_user(app, name="user1", password="password")
r = client.get("/confirm")
assert "We've sent a confirmation email" in r.get_data(as_text=True)
# smtp send message function was called
mock_smtp.return_value.send_message.assert_called()
with client.session_transaction() as sess:
urandom_value = b"\xff" * 32
with patch("os.urandom", return_value=urandom_value):
data = {"nonce": sess.get("nonce")}
r = client.post("http://localhost/confirm", data=data)
assert "Confirmation email sent to" in r.get_data(as_text=True)
r = client.get("/challenges")
assert r.location == "/confirm" # We got redirected to /confirm
r = client.get(
"http://localhost/confirm/ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
)
assert r.location == "/challenges"
# The team is now verified
user = Users.query.filter_by(email="user@user.com").first()
assert user.verified is True
r = client.get("http://localhost/confirm")
assert r.location == "/settings"
destroy_ctfd(app)
@patch("smtplib.SMTP")
def test_user_can_reset_password(mock_smtp):
"""Test that a user is capable of resetting their password"""
from email.message import EmailMessage
app = create_ctfd()
with app.app_context():
# Set CTFd to send emails
set_config("mail_server", "localhost")
set_config("mail_port", 25)
set_config("mail_useauth", True)
set_config("mail_username", "username")
set_config("mail_password", "password")
# Create a user
register_user(app, name="user1", email="user@user.com")
with app.test_client() as client:
client.get("/reset_password")
# Build reset password data
with client.session_transaction() as sess:
data = {"nonce": sess.get("nonce"), "email": "user@user.com"}
# Issue the password reset request
urandom_value = b"\xff" * 32
with patch("os.urandom", return_value=urandom_value):
client.post("/reset_password", data=data)
ctf_name = get_config("ctf_name")
from_addr = get_config("mailfrom_addr") or app.config.get("MAILFROM_ADDR")
from_addr = "{} <{}>".format(ctf_name, from_addr)
to_addr = "user@user.com"
# Build the email
msg = (
"Did you initiate a password reset on CTFd? If you didn't initiate this request you can ignore this email. "
"\n\nClick the following link to reset your password:\n"
"http://localhost/reset_password/ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\n\n"
"If the link is not clickable, try copying and pasting it into your browser."
)
ctf_name = get_config("ctf_name")
email_msg = EmailMessage()
email_msg.set_content(msg)
email_msg["Subject"] = "Password Reset Request from {ctf_name}".format(
ctf_name=ctf_name
)
email_msg["From"] = from_addr
email_msg["To"] = to_addr
# Make sure that the reset password email is sent
mock_smtp.return_value.send_message.assert_called()
assert str(mock_smtp.return_value.send_message.call_args[0][0]) == str(
email_msg
)
# Get user's original password
user = Users.query.filter_by(email="user@user.com").first()
# Build the POST data
with client.session_transaction() as sess:
data = {"nonce": sess.get("nonce"), "password": "passwordtwo"}
# Do the password reset
client.get(
"/reset_password/ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
)
client.post(
"/reset_password/ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
data=data,
)
# Make sure that the user's password changed
user = Users.query.filter_by(email="user@user.com").first()
assert verify_password("passwordtwo", user.password)
destroy_ctfd(app)
def test_banned_user():
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
user = Users.query.filter_by(id=2).first()
user.banned = True
db.session.commit()
routes = ["/", "/challenges", "/api/v1/challenges"]
for route in routes:
r = client.get(route)
assert r.status_code == 403
destroy_ctfd(app)
def test_registration_code_required():
"""
Test that registration code configuration properly blocks logins
with missing and incorrect registration codes
"""
app = create_ctfd()
with app.app_context():
# Set a registration code
set_config("registration_code", "secret-sauce")
with app.test_client() as client:
# Load CSRF nonce
r = client.get("/register")
resp = r.get_data(as_text=True)
assert "Registration Code" in resp
with client.session_transaction() as sess:
data = {
"name": "user",
"email": "user1@examplectf.com",
"password": "password",
"nonce": sess.get("nonce"),
}
# Attempt registration without password
r = client.post("/register", data=data)
resp = r.get_data(as_text=True)
assert "The registration code you entered was incorrect" in resp
# Attempt registration with wrong password
data["registration_code"] = "wrong-sauce"
r = client.post("/register", data=data)
resp = r.get_data(as_text=True)
assert "The registration code you entered was incorrect" in resp
# Attempt registration with right password
data["registration_code"] = "secret-sauce"
r = client.post("/register", data=data)
assert r.status_code == 302
assert r.location.startswith("/challenges")
destroy_ctfd(app)
def test_registration_code_allows_numeric():
"""
Test that registration code is allowed to be all numeric
"""
app = create_ctfd()
with app.app_context():
# Set a registration code
set_config("registration_code", "1234567890")
with app.test_client() as client:
# Load CSRF nonce
r = client.get("/register")
resp = r.get_data(as_text=True)
assert "Registration Code" in resp
with client.session_transaction() as sess:
data = {
"name": "user",
"email": "user1@examplectf.com",
"password": "password",
"nonce": sess.get("nonce"),
}
# Attempt registration with numeric registration code
data["registration_code"] = "1234567890"
r = client.post("/register", data=data)
assert r.status_code == 302
assert r.location.startswith("/challenges")
destroy_ctfd(app)
def test_registration_password_minimum_length():
"""
Test that registration enforces minimum password length when configured
"""
app = create_ctfd()
with app.app_context():
# Set a minimum password length
set_config("password_min_length", 8)
with app.test_client() as client:
# Load CSRF nonce
r = client.get("/register")
with client.session_transaction() as sess:
data = {
"name": "user",
"email": "user1@examplectf.com",
"password": "short", # Only 5 characters
"nonce": sess.get("nonce"),
}
# Attempt registration with password too short
r = client.post("/register", data=data)
resp = r.get_data(as_text=True)
assert "Password must be at least 8 characters" in resp
assert r.status_code == 200 # Should stay on registration page
# Verify user was not created
user_count = Users.query.count()
assert user_count == 1 # Only admin user exists
# Attempt registration with password meeting minimum length
data["password"] = "validpassword" # 13 characters, meets minimum
r = client.post("/register", data=data)
assert r.status_code == 302
assert r.location.startswith("/challenges")
# Verify user was created
user_count = Users.query.count()
assert user_count == 2 # Admin user + new user
# Test with minimum length set to 0 (disabled)
set_config("password_min_length", 0)
with app.test_client() as client:
# Load CSRF nonce
r = client.get("/register")
with client.session_transaction() as sess:
data = {
"name": "user2",
"email": "user2@examplectf.com",
"password": "x", # Only 1 character
"nonce": sess.get("nonce"),
}
# Should allow short password when minimum length is 0
r = client.post("/register", data=data)
assert r.status_code == 302
assert r.location.startswith("/challenges")
# Verify user was created
user_count = Users.query.count()
assert user_count == 3 # Admin user + 2 new users
destroy_ctfd(app)
def test_user_change_password_required():
"""
Test that users with change_password=True are redirected to reset password
and cannot access other pages until they change their password
"""
app = create_ctfd()
with app.app_context():
# Create a user with change_password=True
register_user(
app, name="testuser", email="test@example.com", password="oldpassword"
)
user = Users.query.filter_by(name="testuser").first()
user.change_password = True
db.session.commit()
with app.test_client() as client:
# Login as the user
with client.session_transaction() as sess:
data = {
"name": "testuser",
"password": "oldpassword",
"nonce": sess.get("nonce"),
}
# Get login page first to get nonce
client.get("/login")
with client.session_transaction() as sess:
data["nonce"] = sess.get("nonce")
# Login
r = client.post("/login", data=data)
assert r.status_code == 302
# Test that user is redirected to reset_password when accessing various pages
protected_routes = [
"/",
"/challenges",
"/scoreboard",
"/profile",
"/settings",
"/api/v1/challenges",
]
for route in protected_routes:
r = client.get(route, follow_redirects=False)
# Should be redirected to reset_password with a token
assert r.status_code == 302
assert "/reset_password/" in r.location
# Test that the user can access the reset_password page directly
r = client.get(route, follow_redirects=True)
# Should end up on reset_password page
final_url = r.request.path
assert "/reset_password/" in final_url
# Get redirected to reset password page with token
r = client.get("/challenges", follow_redirects=False)
assert r.status_code == 302
assert "/reset_password/" in r.location
# Extract the token from the redirect URL
reset_url = r.location
token = reset_url.split("/reset_password/")[-1]
# Access the reset password page with the token
r = client.get(f"/reset_password/{token}")
assert r.status_code == 200
# Actually reset the password using the reset password form
with client.session_transaction() as sess:
reset_data = {"password": "newpassword123", "nonce": sess.get("nonce")}
# Submit the password reset form
r = client.post(f"/reset_password/{token}", data=reset_data)
assert r.status_code == 302 # Should redirect after successful reset
# Verify the password was actually changed and change_password flag was cleared
user = Users.query.filter_by(name="testuser").first()
assert user.change_password is False
assert verify_password("newpassword123", user.password)
client.get("/login")
with client.session_transaction() as sess:
data = {
"name": "testuser",
"password": "newpassword123",
"nonce": sess.get("nonce"),
}
r = client.post("/login", data=data)
assert r.status_code == 302
# Now user should be able to access protected routes normally
r = client.get("/challenges")
assert r.status_code == 200
assert r.location is None # No redirect
r = client.get("/profile")
assert r.status_code == 200
assert r.location is None # No redirect
destroy_ctfd(app)
def test_admin_can_set_change_password_via_api():
"""
Test that admins can set the change_password attribute via the API
"""
app = create_ctfd()
with app.app_context():
# Login as admin
client = login_as_user(app, name="admin", password="password")
# Create a user via API with change_password=True
r = client.post(
"/api/v1/users",
json={
"name": "apiuser",
"email": "apiuser@example.com",
"password": "password123",
"change_password": True,
},
)
assert r.status_code == 200
# Verify the user was created with change_password=True
response_data = r.get_json()
assert response_data["success"] is True
user_id = response_data["data"]["id"]
user = Users.query.filter_by(id=user_id).first()
assert user is not None
assert user.change_password is True
# Update user via API to set change_password=False
r = client.patch(f"/api/v1/users/{user_id}", json={"change_password": False})
assert r.status_code == 200
# Verify the change_password was updated
user = Users.query.filter_by(id=user_id).first()
assert user.change_password is False
# Test that non-admin users cannot set change_password via API
register_user(app, name="normaluser", email="normal@example.com")
normal_client = login_as_user(app, name="normaluser", password="password")
# Try to modify change_password on their own account (should fail)
normal_user = Users.query.filter_by(name="normaluser").first()
r = normal_client.patch(
f"/api/v1/users/{normal_user.id}",
json={
"change_password": True,
},
)
# Normal users shouldn't be able to modify change_password field
assert r.status_code == 403 # Forbidden
# Verify that change_password was not modified
normal_user = Users.query.filter_by(name="normaluser").first()
assert normal_user.change_password is False
# Also test via the /me endpoint
r = normal_client.patch(
"/api/v1/users/me",
json={
"change_password": True,
},
)
# Request goes through but doesn't actually modify the attribute
assert r.status_code == 200
# Verify that change_password was still not modified
normal_user = Users.query.filter_by(name="normaluser").first()
assert normal_user.change_password is False
destroy_ctfd(app)
@patch("smtplib.SMTP")
def test_user_reset_password_rate_limit(mock_smtp):
"""
Test that a user can only create 5 reset password attempts before they are rate limited
"""
app = create_ctfd()
with app.app_context():
# Create a user before configuring mail to not send any extra emails
register_user(app, name="user1", email="user@user.com")
# Set CTFd to send emails
set_config("mail_server", "localhost")
set_config("mail_port", 25)
set_config("mail_useauth", True)
set_config("mail_username", "username")
set_config("mail_password", "password")
with app.test_client() as client:
# Make 5 password reset requests (which should all succeed)
for _ in range(5):
client.get("/reset_password")
# Build reset password data
with client.session_transaction() as sess:
data = {"nonce": sess.get("nonce"), "email": "user@user.com"}
# Issue the password reset request
r = client.post("/reset_password", data=data)
assert r.status_code == 200
resp = r.get_data(as_text=True)
assert (
"If that account exists you will receive an email, please check your inbox"
in resp
)
assert "Too many password reset attempts" not in resp
# Verify that the email was sent 5 times
assert mock_smtp.return_value.send_message.call_count == 5
# 6th attempt should be rate limited
client.get("/reset_password")
with client.session_transaction() as sess:
data = {"nonce": sess.get("nonce"), "email": "user@user.com"}
r = client.post("/reset_password", data=data)
assert r.status_code == 200
resp = r.get_data(as_text=True)
assert "Too many password reset attempts. Please try again later." in resp
# Verify that no additional email was sent
assert mock_smtp.return_value.send_message.call_count == 5
destroy_ctfd(app)
Reference in New Issue View Git Blame Copy Permalink