Verification serializers and views

Author: aaronn

drfpasswordless/serializers.py

@@ -44,8 +44,7 @@ def validate(self, attrs):
 
         if alias:
             # Create or authenticate a user
-            # Return a token for them to log in
-            # Consider moving this into somewhere else. Serializer should only serialize.
+            # Return THem
 
             if api_settings.PASSWORDLESS_REGISTER_NEW_USERS is True:
                 # If new aliases should register new users.
@@ -88,6 +87,68 @@ class MobileAuthSerializer(AbstractBaseAliasAuthenticationSerializer):
     mobile = serializers.CharField(validators=[phone_regex], max_length=15)
 
 
+"""
+Verification
+"""
+
+
+class AbstractBaseAliasVerificationSerializer(serializers.Serializer):
+    """
+    Abstract class that returns a callback token based on the field given
+    Returns a token if valid, None or a message if not.
+    """
+    @property
+    def alias_type(self):
+        # The alias type, either email or mobile
+        raise NotImplementedError
+
+    def validate(self, attrs):
+        alias = attrs.get(self.alias_type)
+
+        if alias:
+            # Get request.user
+            # Get their specified valid endpoint
+            # Validate
+
+            request = self.context.get("request")
+            if request and hasattr(request, "user"):
+                user = request.user
+                user = user.refresh_from_db()
+
+                if user:
+                    if not user.is_active:
+                        # If valid, return attrs so we can create a token in our logic controller
+                        msg = _('User account is disabled.')
+
+                    else:
+                        if hasattr(user, self.alias_type):
+                            # Has the appropriate alias type
+                            alias = getattr(user, self.alias_type)
+
+                            if alias:
+                                attrs['user'] = user
+                                return attrs
+                            else:
+                                msg = _('This user doesn\'t have an %s.' % self.alias_type)
+                                raise serializers.ValidationError(msg)
+            else:
+                msg = _('There was a problem with your request.')
+            raise serializers.ValidationError(msg)
+        else:
+            msg = _('Missing %s.') % self.alias_type
+            raise serializers.ValidationError(msg)
+
+
+class EmailVerificationSerializer(AbstractBaseAliasAuthenticationSerializer):
+
+    alias_type = 'email'
+
+
+class MobileVerificationSerializer(AbstractBaseAliasAuthenticationSerializer):
+
+    alias_type = 'mobile'
+
+
 """
 Callback Token
 """

drfpasswordless/utils.py

@@ -133,12 +133,12 @@ def send_email_with_callback_token(self, user, email_token, **kwargs):
                 html_message=html_message,)
 
         else:
-            log.debug("Failed to send login email. Missing PASSWORDLESS_EMAIL_NOREPLY_ADDRESS.")
+            log.debug("Failed to send token email. Missing PASSWORDLESS_EMAIL_NOREPLY_ADDRESS.")
             return False
         return True
 
     except Exception as e:
-        log.debug("Failed to send login email to user: %d."
+        log.debug("Failed to send token email to user: %d."
                   "Possibly no email on user object. Email entered was %s" %
                   (user.id, getattr(user, api_settings.PASSWORDLESS_USER_EMAIL_FIELD_NAME)))
         log.debug(e)
@@ -170,7 +170,7 @@ def send_sms_with_callback_token(self, user, mobile_token, **kwargs):
             )
             return True
         else:
-            log.debug("Failed to send login sms. Missing PASSWORDLESS_MOBILE_NOREPLY_NUMBER.")
+            log.debug("Failed to send token sms. Missing PASSWORDLESS_MOBILE_NOREPLY_NUMBER.")
             return False
     except ImportError:
         log.debug("Couldn't import Twilio client. Is twilio installed?")
@@ -179,7 +179,7 @@ def send_sms_with_callback_token(self, user, mobile_token, **kwargs):
         log.debug("Couldn't send SMS."
                   "Did you set your Twilio account tokens and specify a PASSWORDLESS_MOBILE_NOREPLY_NUMBER?")
     except Exception as e:
-        log.debug("Failed to send login SMS to user: %d. "
+        log.debug("Failed to send token SMS to user: %d. "
                   "Possibly no mobile number on user object or the twilio package isn't set up yet. "
                   "Number entered was %s" % (user.id, getattr(user, api_settings.PASSWORDLESS_USER_MOBILE_FIELD_NAME)))
         log.debug(e)

drfpasswordless/views.py

@@ -4,7 +4,12 @@
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from .settings import api_settings
-from .serializers import EmailAuthSerializer, MobileAuthSerializer, CallbackTokenAuthSerializer, CallbackTokenVerificationSerializer
+from .serializers import (EmailAuthSerializer,
+                          MobileAuthSerializer,
+                          CallbackTokenAuthSerializer,
+                          CallbackTokenVerificationSerializer,
+                          EmailVerificationSerializer,
+                          MobileVerificationSerializer,)
 from .utils import send_sms_with_callback_token, send_email_with_callback_token, create_callback_token_for_user
 
 log = logging.getLogger(__name__)
@@ -44,7 +49,7 @@ def post(self, request, *args, **kwargs):
             # Only allow auth types allowed in settings.
             return Response(status=status.HTTP_404_NOT_FOUND)
 
-        serializer = self.serializer_class(data=request.data)
+        serializer = self.serializer_class(data=request.data, context={'request': request})
         if serializer.is_valid(raise_exception=True):
             # Validate -
             user = serializer.validated_data['user']
@@ -94,7 +99,7 @@ class ObtainMobileCallbackToken(AbstractBaseObtainCallbackToken):
 
 
 class ObtainEmailVerificationCallbackToken(AbstractBaseObtainCallbackToken):
-    serializer_class = EmailAuthSerializer
+    serializer_class = EmailVerificationSerializer
     send_action = send_email_with_callback_token
     success_response = "A verification token has been sent to your email."
     failure_response = "Unable to email you a verification code. Try again later."
@@ -110,7 +115,7 @@ class ObtainEmailVerificationCallbackToken(AbstractBaseObtainCallbackToken):
 
 
 class ObtainMobileVerificationCallbackToken(AbstractBaseObtainCallbackToken):
-    serializer_class = MobileAuthSerializer
+    serializer_class = MobileVerificationSerializer
     send_action = send_sms_with_callback_token
     success_response = "We texted you a verification code."
     failure_response = "Unable to send you a verification code. Try again later."

tests/test_verification.py

@@ -0,0 +1,114 @@
+from rest_framework import status
+from rest_framework.authtoken.models import Token
+from rest_framework.test import APITestCase
+
+from django.contrib.auth import get_user_model
+from drfpasswordless.settings import api_settings, DEFAULTS
+from drfpasswordless.utils import CallbackToken
+
+User = get_user_model()
+
+
+class AliasEmailVerificationEndpointTests(APITestCase):
+
+    def setUp(self):
+        api_settings.PASSWORDLESS_AUTH_TYPES = ['EMAIL']
+        api_settings.PASSWORDLESS_EMAIL_NOREPLY_ADDRESS = 'noreply@example.com'
+        api_settings.PASSWORDLESS_USER_MARK_EMAIL_VERIFIED = True
+
+        self.url = '/auth/email/'
+        self.callback_url = '/callback/auth/'
+        self.verify_url = '/verify/email/'
+        self.verify_callback = '/callback/verify/'
+        self.email_field_name = api_settings.PASSWORDLESS_USER_EMAIL_FIELD_NAME
+        self.email_verified_field_name = api_settings.PASSWORDLESS_USER_EMAIL_VERIFIED_FIELD_NAME
+
+    def test_email_unverified_to_verified_and_back(self):
+        email = 'aaron@example.com'
+        data = {'email': email}
+
+        # create a new user
+        response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        user = User.objects.get(**{self.email_field_name: email})
+        self.assertNotEqual(user, None)
+        self.assertEqual(getattr(user, self.email_verified_field_name), False)
+
+        # Verify a token exists for the user, sign in and check verified again
+        callback = CallbackToken.objects.filter(user=user, is_active=True).first()
+        callback_data = {'token': callback}
+        callback_response = self.client.post(self.callback_url, callback_data)
+        self.assertEqual(callback_response.status_code, status.HTTP_200_OK)
+
+        # Verify we got the token, then check and see that email_verified is now verified
+        token = callback_response.data['token']
+        self.assertEqual(token, Token.objects.get(user=user).key)
+
+        # Refresh and see that the endpoint is now verified as True
+        user.refresh_from_db()
+        self.assertEqual(getattr(user, self.email_verified_field_name), True)
+
+        # Change email, should result in flag changing to false
+        setattr(user, self.email_field_name, 'aaron2@example.com')
+        user.save()
+        user.refresh_from_db()
+        self.assertEqual(getattr(user, self.email_verified_field_name), False)
+
+        # Use verification endpoints to mark as true
+
+
+    def tearDown(self):
+        api_settings.PASSWORDLESS_AUTH_TYPES = DEFAULTS['PASSWORDLESS_AUTH_TYPES']
+        api_settings.PASSWORDLESS_EMAIL_NOREPLY_ADDRESS = DEFAULTS['PASSWORDLESS_EMAIL_NOREPLY_ADDRESS']
+        api_settings.PASSWORDLESS_USER_MARK_EMAIL_VERIFIED = DEFAULTS['PASSWORDLESS_USER_MARK_MOBILE_VERIFIED']
+
+
+class AliasMobileVerificationEndpointTests(APITestCase):
+
+    def setUp(self):
+        api_settings.PASSWORDLESS_TEST_SUPPRESSION = True
+        api_settings.PASSWORDLESS_AUTH_TYPES = ['MOBILE']
+        api_settings.PASSWORDLESS_MOBILE_NOREPLY_NUMBER = '+15550000000'
+        api_settings.PASSWORDLESS_USER_MARK_MOBILE_VERIFIED = True
+
+        self.url = '/auth/mobile/'
+        self.callback_url = '/callback/auth/'
+        self.mobile_field_name = api_settings.PASSWORDLESS_USER_MOBILE_FIELD_NAME
+        self.mobile_verified_field_name = api_settings.PASSWORDLESS_USER_MOBILE_VERIFIED_FIELD_NAME
+
+    def test_mobile_unverified_to_verified_and_back(self):
+        mobile = '+15551234567'
+        data = {'mobile': mobile}
+
+        # create a new user
+        response = self.client.post(self.url, data)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        user = User.objects.get(**{self.mobile_field_name: mobile})
+        self.assertNotEqual(user, None)
+        self.assertEqual(getattr(user, self.mobile_verified_field_name), False)
+
+        # Verify a token exists for the user, sign in and check verified again
+        callback = CallbackToken.objects.filter(user=user, is_active=True).first()
+        callback_data = {'token': callback}
+        callback_response = self.client.post(self.callback_url, callback_data)
+        self.assertEqual(callback_response.status_code, status.HTTP_200_OK)
+
+        # Verify we got the token, then check and see that email_verified is now verified
+        token = callback_response.data['token']
+        self.assertEqual(token, Token.objects.get(user=user).key)
+
+        # Refresh and see that the endpoint is now verified as True
+        user.refresh_from_db()
+        self.assertEqual(getattr(user, self.mobile_verified_field_name), True)
+
+        # Change email, should result in flag changing to false
+        setattr(user, self.mobile_field_name, '+15557654321')
+        user.save()
+        user.refresh_from_db()
+        self.assertEqual(getattr(user, self.mobile_verified_field_name), False)
+
+    def tearDown(self):
+        api_settings.PASSWORDLESS_TEST_SUPPRESSION = DEFAULTS['PASSWORDLESS_TEST_SUPPRESSION']
+        api_settings.PASSWORDLESS_AUTH_TYPES = DEFAULTS['PASSWORDLESS_AUTH_TYPES']
+        api_settings.PASSWORDLESS_MOBILE_NOREPLY_ADDRESS = DEFAULTS['PASSWORDLESS_EMAIL_NOREPLY_ADDRESS']
+        api_settings.PASSWORDLESS_USER_MARK_MOBILE_VERIFIED = DEFAULTS['PASSWORDLESS_USER_MARK_MOBILE_VERIFIED']