[SECURITY] Respect session timeout in API

2026-05-04 15:04:03 +00:00 · 2017-11-25 18:55:06 +01:00
parent f6b1bd9fe8
commit 364ea9ca29
3 changed files with 126 additions and 0 deletions
--- a/src/tests/api/conftest.py
+++ b/src/tests/api/conftest.py
@@ -72,6 +72,17 @@ def user():
    return User.objects.create_user('dummy@dummy.dummy', 'dummy')


+@pytest.fixture
+def user_client(client, team, user):
+    team.can_view_orders = True
+    team.can_view_vouchers = True
+    team.all_events = True
+    team.save()
+    team.members.add(user)
+    client.force_authenticate(user=user)
+    return client
+
+
@pytest.fixture
 def token_client(client, team):
    team.can_view_orders = True
--- a/src/tests/api/test_permissions.py
+++ b/src/tests/api/test_permissions.py
@@ -1,4 +1,7 @@
+import time
+
 import pytest
+from django.test import override_settings

 from pretix.base.models import Organizer

@@ -134,3 +137,99 @@ def test_token_event_permission_not_allowed(token_client, team, organizer, event
        assert resp.status_code == 403
    else:
        assert resp.status_code in (404, 403)
+
+
+@pytest.mark.django_db
+def test_log_out_after_absolute_timeout(user_client, team, organizer, event):
+    session = user_client.session
+    session['pretix_auth_long_session'] = False
+    session['pretix_auth_login_time'] = int(time.time()) - 3600 * 12 - 60
+    session.save()
+
+    response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
+    assert response.status_code == 403
+
+
+@pytest.mark.django_db
+def test_dont_logout_before_absolute_timeout(user_client, team, organizer, event):
+    session = user_client.session
+    session['pretix_auth_long_session'] = True
+    session['pretix_auth_login_time'] = int(time.time()) - 3600 * 12 + 60
+    session.save()
+
+    response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
+    assert response.status_code == 200
+
+
+@pytest.mark.django_db
+@override_settings(PRETIX_LONG_SESSIONS=False)
+def test_ignore_long_session_if_disabled_in_config(user_client, team, organizer, event):
+    session = user_client.session
+    session['pretix_auth_long_session'] = True
+    session['pretix_auth_login_time'] = int(time.time()) - 3600 * 12 - 60
+    session.save()
+
+    response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
+    assert response.status_code == 403
+
+
+@pytest.mark.django_db
+def test_dont_logout_in_long_session(user_client, team, organizer, event):
+    session = user_client.session
+    session['pretix_auth_long_session'] = True
+    session['pretix_auth_login_time'] = int(time.time()) - 3600 * 12 - 60
+    session.save()
+
+    response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
+    assert response.status_code == 200
+
+
+@pytest.mark.django_db
+def test_log_out_after_relative_timeout(user_client, team, organizer, event):
+    session = user_client.session
+    session['pretix_auth_long_session'] = False
+    session['pretix_auth_login_time'] = int(time.time()) - 3600 * 6
+    session['pretix_auth_last_used'] = int(time.time()) - 3600 * 3 - 60
+    session.save()
+
+    response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
+    assert response.status_code == 403
+
+
+@pytest.mark.django_db
+def test_dont_logout_before_relative_timeout(user_client, team, organizer, event):
+    session = user_client.session
+    session['pretix_auth_long_session'] = True
+    session['pretix_auth_login_time'] = int(time.time()) - 3600 * 6
+    session['pretix_auth_last_used'] = int(time.time()) - 3600 * 3 + 60
+    session.save()
+
+    response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
+    assert response.status_code == 200
+
+
+@pytest.mark.django_db
+def test_dont_logout_by_relative_in_long_session(user_client, team, organizer, event):
+    session = user_client.session
+    session['pretix_auth_long_session'] = True
+    session['pretix_auth_login_time'] = int(time.time()) - 3600 * 5
+    session['pretix_auth_last_used'] = int(time.time()) - 3600 * 3 - 60
+    session.save()
+
+    response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
+    assert response.status_code == 200
+
+
+@pytest.mark.django_db
+def test_update_session_activity(user_client, team, organizer, event):
+    t1 = int(time.time()) - 5
+    session = user_client.session
+    session['pretix_auth_long_session'] = False
+    session['pretix_auth_login_time'] = int(time.time()) - 3600 * 5
+    session['pretix_auth_last_used'] = t1
+    session.save()
+
+    response = user_client.get('/api/v1/organizers/{}/events/'.format(organizer.slug))
+    assert response.status_code == 200
+
+    assert user_client.session['pretix_auth_last_used'] > t1