early detection of unwanted pass/token

Author: Fabien Coelho

FlaskTester.py

@@ -30,7 +30,12 @@ class Authenticator:
     - ``fake``: fake scheme, login directly passed as a parameter
     """
 
-    _AUTH_SCHEMES = ("basic", "param", "bearer", "header", "cookie", "tparam", "fake")
+    _TOKEN_SCHEMES = {"bearer", "header", "cookie", "tparam"}
+    _PASS_SCHEMES = {"basic", "param"}
+
+    _AUTH_SCHEMES = {"fake"}
+    _AUTH_SCHEMES.update(_TOKEN_SCHEMES)
+    _AUTH_SCHEMES.update(_PASS_SCHEMES)
 
     def __init__(self,
              allow: list[str] = ["bearer", "basic", "param"],
@@ -65,8 +70,13 @@ def __init__(self,
           default is ``AUTH``
         """
 
+        self._has_pass, self._has_token = False, False
         for auth in allow:
             assert auth in self._AUTH_SCHEMES
+            if auth in self._TOKEN_SCHEMES:
+                self._has_token = True
+            if auth in self._PASS_SCHEMES:
+                self._has_pass = True
         self._allow = allow
 
         # authentication scheme parameters
@@ -93,6 +103,8 @@ def _set(self, login: str, val: str|None, store: dict[str, str]):
 
     def setPass(self, login: str, pw: str|None):
         """Associate a password to a user."""
+        if not self._has_pass:
+            raise AuthError("cannot set password, no password scheme allowed")
         self._set(login, pw, self._passes)
 
     def setPasses(self, pws: list[str]):
@@ -103,6 +115,8 @@ def setPasses(self, pws: list[str]):
 
     def setToken(self, login: str, token: str|None):
         """Associate a token to a user."""
+        if not self._has_token:
+            raise AuthError("cannot set token, no token scheme allowed")
         self._set(login, token, self._tokens)
 
     def _param(self, kwargs: dict[str, Any], key: str, val: Any):

README.md

@@ -181,6 +181,7 @@ please report any [issues](https://github.com/zx80/flask-tester/issues).
 ### ? on ?
 
 Improved documentation and tests.
+Raise an error when setting unusable passwords or tokens.
 
 ### 1.1 on 2024-03-13
 

tests/test.py

@@ -109,7 +109,6 @@ def test_authenticator_token():
     auth.setToken("susie", "ss-token")
     auth.setToken("hobbes", "hbs-token")
     auth.setToken("moe", "m-token")
-    auth.setPass("rosalyn", "rsln-pass")
     kwargs = {}
     auth.setAuth("calvin", kwargs, auth="bearer")
     assert kwargs["headers"]["Authorization"] == "Bearer clv-token"
@@ -133,6 +132,14 @@ def test_authenticator_token():
     except ft.FlaskTesterError:
         assert True, "error raised"
     # rosalyn as a password, but no password carrier is allowed
+    try:
+        auth.setPass("rosalyn", "rsln-pass")
+        assert False, "must raise an error"  # pragma: no cover
+    except ft.AuthError:
+        assert True, "error raised"
+    # force to trigger later errors
+    auth._has_pass = True
+    auth.setPass("rosalyn", "rsln-pass")
     try:
         kwargs={}
         auth.setAuth("rosalyn", kwargs)
@@ -147,7 +154,6 @@ def test_authenticator_password():
     auth.setPass("hobbes", "hbs-pass")
     auth.setPass("moe", "m-pass")
     auth.setPass("rosalyn", "rsln-pass")
-    auth.setToken("susie", "ss-token")
     kwargs = {}
     auth.setAuth("calvin", kwargs, auth="basic")
     assert kwargs["auth"] == ("calvin", "clv-pass")
@@ -164,6 +170,14 @@ def test_authenticator_password():
     auth.setAuth("hobbes", kwargs, auth="fake")
     assert kwargs["json"]["LOGIN"] == "hobbes"
     # susie as a token, but no token carrier is allowed
+    try:
+        auth.setToken("susie", "ss-token")
+        assert False, "must raise an error"  # pragma: no cover
+    except ft.FlaskTesterError:
+        assert True, "error raised"
+    # force to trigger later error
+    auth._has_token = True
+    auth.setToken("susie", "ss-token")
     try:
         kwargs={}
         auth.setAuth("susie", kwargs)