How do I unit test HTTP Digest Authentication in Flask?

Question

I've got a flask app that implements a REST api. For reasons, I'm using HTTP Digest Authentication. I've used the Flask-HTTPAuth library to implement the digest authentication and it works; however, I am unable to authenticate in the unit tests.

For the unit tests, prior to setting up the authentication, I'm doing something like this:

class FooTestCase(unittest.TestCase):
    def setUp(self):
        self.app = foo.app.test_client()

    def test_root(self):
        response = self.app.get('/')
        # self.assert.... blah blah blah

Prior to implementing the authentication, this was fine. Now I get a 401, which is expected as the initial response for a digest auth request. I've searched and searched and followed a few suggestions related to http basic auth (using parameters data = { #various stuff} and follow_redirects=True) but I've had no success.

Does anyone have a clue how to implement unittests in this case?

Answer 1

Unfortunately digest authentication is harder to test or bypass in Flask-HTTPAuth.

One option is to actually calculate the correct hashes and perform the full authentication during tests. You can see a few examples of this in the Flask-HTTPAuth unit tests. Here is one:

def test_digest_auth_login_valid(self):
    response = self.client.get('/digest')
    self.assertTrue(response.status_code == 401)
    header = response.headers.get('WWW-Authenticate')
    auth_type, auth_info = header.split(None, 1)
    d = parse_dict_header(auth_info)

    a1 = 'john:' + d['realm'] + ':bye'
    ha1 = md5(a1).hexdigest()
    a2 = 'GET:/digest'
    ha2 = md5(a2).hexdigest()
    a3 = ha1 + ':' + d['nonce'] + ':' + ha2
    auth_response = md5(a3).hexdigest()

    response = self.client.get(
        '/digest', headers={
            'Authorization': 'Digest username="john",realm="{0}",'
                             'nonce="{1}",uri="/digest",response="{2}",'
                             'opaque="{3}"'.format(d['realm'],
                                                   d['nonce'],
                                                   auth_response,
                                                   d['opaque'])})
    self.assertEqual(response.data, b'digest_auth:john')

In this example, the username is john and the password is bye. Presumably you have some predetermined credentials for a user that can be used in unit tests, so you would plug those in the a1 variable above. This authentication dance can be included in an auxiliary function that wraps the sending of a request during tests, that way you don't have to repeat this in every test.

Answer 2

It's not neccessary to use real-world authentication in tests. Either disable authentication when running tests or create test user and use this test user in tests.

For example:

    @digest_auth.get_password
    def get_pw(username):
        if running_from_tests():
            if username == 'test':
                return 'testpw'
            else:
                return None
        else:
            # ... normal auth that you have

Of couse this test user must never be active in production :) For implementation of running_from_tests() see Test if code is executed from within a py.test session (if you are using py.test).