From 576226ad30ea3cdedb9d99e632b0f429ec144a7e Mon Sep 17 00:00:00 2001
From: Oliver Walters <oliver.henry.walters@gmail.com>
Date: Sat, 7 Sep 2019 23:41:15 +1000
Subject: [PATCH 1/2] Tests for retrieving user auth tokens

---
 InvenTree/InvenTree/test_api.py   | 45 +++++++++++++++++++++++++++++++
 InvenTree/InvenTree/test_views.py |  7 +++--
 InvenTree/users/urls.py           |  2 +-
 3 files changed, 51 insertions(+), 3 deletions(-)
 create mode 100644 InvenTree/InvenTree/test_api.py

diff --git a/InvenTree/InvenTree/test_api.py b/InvenTree/InvenTree/test_api.py
new file mode 100644
index 0000000000..4ec173bf7d
--- /dev/null
+++ b/InvenTree/InvenTree/test_api.py
@@ -0,0 +1,45 @@
+""" Low level tests for the InvenTree API """
+
+from rest_framework.test import APITestCase
+from rest_framework import status
+
+from django.urls import reverse
+
+from django.contrib.auth import get_user_model
+
+
+class APITests(APITestCase):
+    """ Tests for the InvenTree API """
+
+    username = 'test_user'
+    password = 'test_pass'
+
+    def setUp(self):
+
+        # Create a user (but do not log in!)
+        User = get_user_model()
+        User.objects.create_user(self.username, 'user@email.com', self.password)
+
+    def test_get_token_fail(self):
+        """ Ensure that an invalid user cannot get a token """
+
+        token_url = reverse('api-token')
+
+        response = self.client.post(token_url, format='json', data={'username': 'bad', 'password': 'also_bad'})
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertFalse('token' in response.data)
+        
+    def test_get_token_pass(self):
+        """ Ensure that a valid user can request an API token """
+
+        token_url = reverse('api-token')
+
+        # POST to retreive a token
+        response = self.client.post(token_url, format='json', data={'username': self.username, 'password': self.password})
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertTrue('token' in response.data)
+        self.assertTrue('pk' in response.data)
+        self.assertTrue(len(response.data['token']) > 0)
+
diff --git a/InvenTree/InvenTree/test_views.py b/InvenTree/InvenTree/test_views.py
index 150a6a4f30..171dcbb05f 100644
--- a/InvenTree/InvenTree/test_views.py
+++ b/InvenTree/InvenTree/test_views.py
@@ -10,13 +10,16 @@ import os
 class ViewTests(TestCase):
     """ Tests for various top-level views """
 
+    username = 'test_user'
+    password = 'test_pass'
+
     def setUp(self):
 
         # Create a user
         User = get_user_model()
-        User.objects.create_user('username', 'user@email.com', 'password')
+        User.objects.create_user(self.username, 'user@email.com', self.password)
 
-        self.client.login(username='username', password='password')
+        self.client.login(username=self.username, password=self.password)
 
     def test_api_doc(self):
         """ Test that the api-doc view works """
diff --git a/InvenTree/users/urls.py b/InvenTree/users/urls.py
index 6082ef14df..312789b55b 100644
--- a/InvenTree/users/urls.py
+++ b/InvenTree/users/urls.py
@@ -5,7 +5,7 @@ from . import views
 user_urls = [
     url(r'^(?P<pk>[0-9]+)/?$', views.UserDetail.as_view(), name='user-detail'),
 
-    url(r'token', views.GetAuthToken.as_view()),
+    url(r'token', views.GetAuthToken.as_view(), name='api-token'),
 
     url(r'^$', views.UserList.as_view()),
 ]

From baf096b3e72a98f981cb49f5a5ecdb75331b3355 Mon Sep 17 00:00:00 2001
From: Oliver Walters <oliver.henry.walters@gmail.com>
Date: Sun, 8 Sep 2019 00:28:12 +1000
Subject: [PATCH 2/2] Ensure token validation is working correctly

---
 InvenTree/InvenTree/test_api.py | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/InvenTree/InvenTree/test_api.py b/InvenTree/InvenTree/test_api.py
index 4ec173bf7d..0bb36db59f 100644
--- a/InvenTree/InvenTree/test_api.py
+++ b/InvenTree/InvenTree/test_api.py
@@ -11,6 +11,13 @@ from django.contrib.auth import get_user_model
 class APITests(APITestCase):
     """ Tests for the InvenTree API """
 
+    fixtures = [
+        'location',
+        'stock',
+        'part',
+        'category',
+    ]
+
     username = 'test_user'
     password = 'test_pass'
 
@@ -29,7 +36,7 @@ class APITests(APITestCase):
 
         self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
         self.assertFalse('token' in response.data)
-        
+
     def test_get_token_pass(self):
         """ Ensure that a valid user can request an API token """
 
@@ -43,3 +50,18 @@ class APITests(APITestCase):
         self.assertTrue('pk' in response.data)
         self.assertTrue(len(response.data['token']) > 0)
 
+        # Now, use the token to access other data
+        token = response.data['token']
+
+        part_url = reverse('api-part-list')
+
+        # Try to access without a token
+        response = self.client.get(part_url, format='json')
+
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+        
+        # Now, with the token
+        self.client.credentials(HTTP_AUTHORIZATION='Token ' + token)
+        response = self.client.get(part_url, format='json')
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)