How to test protected view with pytest ?

[dvrg]

Hi, i have question about testing the app. How actualy i can pass test the page with protected view with @auth_required ? i'm new in testing and mostly i'm using pytest and flask-pytest to test. May you have documentation or references to doing this ?

Thankyou

[dvrg]

i have checked several blog and tutorial and i doing this thing, but i have error that make me ask more about it.

i follow the instruction in documentation that testing configuration checklist and i create simple test to login (i'm using pytest and pytes-flask)

def test_security_login_page(client):
    rv = client.get(url_for_security("login"), follow_redirects=True)
    assert rv.status_code == HTTPStatus.OK
    assert b"Email" in rv.data
    assert b"Password" in rv.data


def test_security_login_user(client):
    rv = client.post(
        url_for_security("login"),
        data=dict(email=EMAIL, password=PASSWORD, follow_redirects=True),
    )
    assert rv.status_code == HTTPStatus.OK
    assert b"Postingan Terbaru" in rv.data

both test stuck in views error that says :

>   {{ login_user_form.csrf_token() }}
E   jinja2.exceptions.UndefinedError: 'flask_security.forms.LoginForm object' has no attribute 'csrf_token'

Yeah, the csrf_token is not found in forms because the config WTF_CSRF_ENABLED is False, right ? so what wrong here ?
note : i'm using flask_wtf.csrf

Packages :

• Flask 1.1.4
• Flask-Security-Too 4.0.1
• Flask-WTF 0.14.3

[jwag956]

Not obvious - from my glance at Flask-WTF - the csrf_token() field is always present - the WTF_CSRF_ENABLED flag just controls whether it is validated/checked or not.

Probably need to see more of your config setup and initialization - I assume you haven't subclassed/changed any forms?

[dvrg]

i'm not changing/extended the login forms class, just override the templates. for clarity here i put my souce code

config.py

...
class Config:
    """Base configuration."""

     # Flask
    PRESERVE_CONTEXT_ON_EXCEPTION = True

    # Flask-Security-Too : Core
    SECURITY_BLUEPRINT_NAME = "security"
    SECURITY_PASSWORD_HASH = "bcrypt"
    SECURITY_PASSWORD_COMPLEXITY_CHECKER = "zxcvbn"
    SECURITY_USER_IDENTITY_ATTRIBUTES = [
        {"email": {"mapper": uia_email_mapper, "case_insensitive": True}},
        {"us_phone_number": {"mapper": uia_phone_mapper}},
    ]
    # Save datetime aware time zone information https://realpython.com/python-datetime/
    SECURITY_DATETIME_FACTORY = datetime.now
    SECURITY_CONFIRM_SALT = os.getenv("SECURITY_CONFIRM_SALT")
    SECURITY_RESET_SALT = os.getenv("SECURITY_RESET_SALT")
    SECURITY_LOGIN_SALT = os.getenv("SECURITY_LOGIN_SALT")
    SECURITY_TWO_FACTOR_VALIDITY_SALT = os.getenv("SECURITY_TWO_FACTOR_VALIDITY_SALT")
    SECURITY_US_SETUP_SALT = os.getenv("SECURITY_US_SETUP_SALT")
    # Flask-Security-Too : Registerable
    SECURITY_REGISTERABLE = True
    SECURITY_POST_REGISTER_VIEW = "/login"
    # Flask-Security-Too : Confirmable
    SECURITY_CONFIRMABLE = True
    SECURITY_AUTO_LOGIN_AFTER_CONFIRM = False
    # Flask-Security-Too : Changeable
    SECURITY_CHANGEABLE = True
    SECURITY_POST_CHANGE_VIEW = "/logout"
    # Flask-Security-Too : Recoverable
    SECURITY_RECOVERABLE = True
    SECURITY_POST_RESET_VIEW = "/"

    # Flask-Security-Too : Two-Factor
    SECURITY_TWO_FACTOR = True
    SECURITY_TWO_FACTOR_ENABLED_METHODS = ["email", "authenticator", "sms"]
    SECURITY_TOTP_SECRETS = {1: totp.generate_secret()}
    SECURITY_TOTP_ISSUER = APP_NAME
    SECURITY_PHONE_REGION_DEFAULT = "ID"
    # Flask-Security-Too : Unified Signin
    SECURITY_UNIFIED_SIGNIN = True
    SECURITY_US_ENABLED_METHODS = ["password", "email", "authenticator", "sms"]
    # Flask-Security-Too : Passwordless
    SECURITY_PASSWORDLESS = False
    # Flask-Security-Too : Trackable
    SECURITY_TRACKABLE = True
    # Flask-Security-Too : Login/Logout
    SECURITY_POST_LOGOUT_VIEW = "/login"

    # Flask-Security-Too Translations
    SECURITY_I18N_DOMAIN = "flask_security"
    SECURITY_I18N_DIRNAME = [
        pkg_resources.resource_filename("flask_security", "translations"),
        "/src/flask_amikos/translations",
    ]

    # Flask-SQLAlchemy
    POST_PER_PAGE = 10
    MAX_PER_PAGE = 10
    SQLALCHEMY_RECORD_QUERIES = True
    SLOW_DB_QUERY_TIME = 0.5

    # Flask-Babel
    BABEL_DEFAULT_LOCALE = "id"
    BABEL_DEFAULT_TIMEZONE = "UTC"
    LANGUAGES = ["id", "en"]

    # Flask-WTF
    RECAPTCHA_PARAMETERS = {"hl": "id"}

    # Flask Profiler
    FLASK_PROFILER_USERNAME = os.getenv("FLASK_PROFILER_USERNAME")
    FLASK_PROFILER_PASSWORD = os.getenv("FLASK_PROFILER_PASSWORD")
    FLASK_PROFILER_ENDPOINT = os.getenv("FLASK_PROFILER_ENDPOINT")
    FLASK_PROFILER_DATABASE_URL = os.getenv("FLASK_PROFILER_DATABASE_URL")

    # Flask Talisman
    SELF = "'self'"
    CSP = {
        "default-src": [
            SELF,
            "ghbtns.com",
            "www.gravatar.com",
            "github.githubassets.com",
            "api.github.com",
        ],
        "style-src": [
            SELF,
            "'unsafe-inline'",
            "fonts.googleapis.com",
            "cdn.jsdelivr.net",
            "*.midtrans.com",
            "*.cloudfront.net",
        ],
        "font-src": [
            SELF,
            "fonts.googleapis.com",
            "themes.googleusercontent.com",
            "*.gstatic.com",
            "cdn.jsdelivr.net",
            "*.cloudfront.net",
        ],
        "frame-src": [
            SELF,
            "www.google.com",
            "www.youtube.com",
            "*.midtrans.com",
            "*.cloudfront.net",
            "ghbtns.com",
        ],
        "script-src": [
            SELF,
            "'unsafe-inline'",
            "code.jquery.com",
            "ajax.googleapis.com",
            "*.googleanalytics.com ",
            "*.google-analytics.com",
            "cdnjs.cloudflare.com",
            "*.midtrans.com",
            "cdn.jsdelivr.net",
            "www.google.com",
            "www.gstatic.com",
            "*.cloudfront.net",
        ],
    }

    # Elasticsearch
    ELASTICSEARCH_USERNAME = os.getenv("ELASTICSEARCH_USERNAME")
    ELASTICSEARCH_PASSWORD = os.getenv("ELASTICSEARCH_PASSWORD")

    # Flask-APSchedular
    SCHEDULER_API_ENABLED = True
    SCHEDULER_AUTH = HTTPBasicAuth()
    FLASK_APPSCHEDULER_USERNAME = os.getenv("FLASK_APPSCHEDULER_USERNAME")
    FLASK_APPSCHEDULER_PASSWORD = os.getenv("FLASK_APPSCHEDULER_PASSWORD")

    @staticmethod
    def init_app(app):
        pass

class TestingConfig(Config):
    """Testing configuration."""

    PROFILE = True
    TESTING = True

    WTF_CSRF_ENABLED = False
    WTF_CSRF_CHECK_DEFAULT = False

    RECAPTCHA_PUBLIC_KEY = os.getenv("RECAPTCHA_PUBLIC_KEY")
    RECAPTCHA_PRIVATE_KEY = os.getenv("RECAPTCHA_PRIVATE_KEY")

    SECRET_KEY = os.getenv("SECRET_KEY", secrets.token_hex())
    SECURITY_PASSWORD_SALT = os.getenv("SECURITY_PASSWORD_SALT", secrets.token_hex())

    DEBUG_TB_ENABLED = False

    SECURITY_TOKEN_MAX_AGE = 5  # 5 Seconds
    SECURITY_EMAIL_VALIDATOR_ARGS = {"check_deliverability": False}
    SECURITY_PASSWORD_HASH = "plaintext"
    SQLALCHEMY_DATABASE_URI = SQLITE_TEST
    SQLALCHEMY_TRACK_MODIFICATIONS = True

    LOGIN_DISABLED = True

    CELERY_RESULT_BACKEND = os.getenv("CELERY_RESULT_BACKEND", REDIS_RESULT_BACKEND)
    CELERY_BROKER_URL = os.getenv("CELERY_BROKER_URL", REDIS_BROKER_URL)

    MAIL_SERVER = "localhost"
    MAIL_PORT = 8025
    MAIL_USE_TLS = False
    MAIL_USE_SSL = False
    MAIL_USERNAME = ""
    MAIL_PASSWORD = ""
    MAIL_DEFAULT_SENDER = "[email protected]"

    SECURITY_SMS_SERVICE = "Twilio"
    SECURITY_SMS_SERVICE_CONFIG = {
        "ACCOUNT_SID": os.getenv("ACCOUNT_SID"),
        "AUTH_TOKEN": os.getenv("AUTH_TOKEN"),
        "PHONE_NUMBER": os.getenv("PHONE_NUMBER"),
    }

    MIDTRANS_PRODUCTION = False
    MIDTRANS_SERVER_KEY = os.getenv("MIDTRANS_SERVER_KEY")
    MIDTRANS_CLIENT_KEY = os.getenv("MIDTRANS_CLIENT_KEY")

    ELASTICSEARCH_URL = os.getenv("ELASTICSEARCH_URL")

    SENTRY_DSN = os.getenv("SENTRY_DSN")
    TRACE_SAMPLE_RATE = 1.0
...

templates/security/login_user.html (nested)

{% extends "security/base.html" %}
{% from "security/_macros.html" import render_field, render_field_errors, render_field_with_errors_no_labels,
render_field_with_errors_no_labels_without_input_group %}
{% set page_title = _('login user') | title %}

{% block title %} {{ page_title ~' - '~ super() }} {% endblock title %}

{% block content %}
<p class="login-box-msg">{{ page_title }}</p>
{% include "security/_messages.html" %}
<form class="form-signin" action="{{ url_for_security('login') }}" method="POST" name="login_user_form">
    {{ login_user_form.csrf_token() }}
    {{ render_field_with_errors_no_labels(login_user_form.email, class_="form-control",
    placeholder="[email protected]", required="required") }}
    {{ render_field_with_errors_no_labels(login_user_form.password, class_="form-control",
    placeholder=_("password"), required="required") }}
    <div class="row">
        <div class="col-8">
            <div class="icheck-primary">
                {{ render_field_with_errors_no_labels_without_input_group(login_user_form.remember) }}
                <label for="remember">
                    {{ _('remember me') | title }}
                </label>
            </div>
        </div>
        <!-- /.col -->
        <div class="col-4">
            {{ render_field(login_user_form.submit, class_="btn btn-primary btn-block" ) }}
        </div>
        <!-- /.col -->
    </div>
</form>
{% include "security/_menu.html" %}
{% endblock content %}

i try remove the {{ login_user_form.csrf_token() }} in template, test can pass but in interactive mode, when i try login, csrf token is missing (of course).

[jwag956]

Hmm - the original login form has:

{{ render_field_errors(login_user_form.csrf_token) }}

it's not a method to call (i.e. no '()')

[dvrg]

you right. i'm wrong definition for that's point. likely i call from flask-wtf csrf_token.
i have change it, the test is pass and iteractive mode pass.

Thankyou for your correction, my faults are not thorough.
happy weekend!