mirror of
https://github.com/aljazceru/CTFd.git
synced 2025-12-17 14:04:20 +01:00
7cf6d2b43a
2.5.0 / 2020-06-02 ================== **General** * Use a session invalidation strategy inspired by Django. Newly generated user sessions will now include a HMAC of the user's password. When the user's password is changed by someone other than the user the previous HMACs will no longer be valid and the user will be logged out when they next attempt to perform an action. * A user and team's place, and score are now cached and invalidated on score changes. **API** * Add `/api/v1/challenges?view=admin` to allow admin users to see all challenges regardless of their visibility state * Add `/api/v1/users?view=admin` to allow admin users to see all users regardless of their hidden/banned state * Add `/api/v1/teams?view=admin` to allow admin users to see all teams regardless of their hidden/banned state * The scoreboard endpoints `/api/v1/scoreboard` & `/api/v1/scoreboard/top/[count]` should now be more performant because score and place for Users/Teams are now cached **Deployment** * `docker-compose` now provides a basic nginx configuration and deploys nginx on port 80 **Miscellaneous** * The `get_config` and `get_page` config utilities now use SQLAlchemy Core instead of SQLAlchemy ORM for slight speedups * Update Flask-Migrate to 2.5.3 and regenerate the migration environment. Fixes using `%` signs in database passwords.
63 lines
1.9 KiB
Python
63 lines
1.9 KiB
Python
from tests.helpers import create_ctfd, destroy_ctfd, login_as_user, register_user
|
|
|
|
|
|
def test_sessions_set_httponly():
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
with app.test_client() as client:
|
|
r = client.get("/")
|
|
cookie = dict(r.headers)["Set-Cookie"]
|
|
assert "HttpOnly;" in cookie
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_sessions_set_samesite():
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
with app.test_client() as client:
|
|
r = client.get("/")
|
|
cookie = dict(r.headers)["Set-Cookie"]
|
|
assert "SameSite=" in cookie
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_session_invalidation_on_admin_password_change():
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
register_user(app)
|
|
with login_as_user(app, name="admin") as admin, login_as_user(app) as user:
|
|
|
|
r = user.get("/settings")
|
|
assert r.status_code == 200
|
|
|
|
r = admin.patch("/api/v1/users/2", json={"password": "password2"})
|
|
assert r.status_code == 200
|
|
|
|
r = user.get("/settings")
|
|
# User's password was changed
|
|
# They should be logged out
|
|
assert r.location.startswith("http://localhost/login")
|
|
assert r.status_code == 302
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_session_invalidation_on_user_password_change():
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
register_user(app)
|
|
with login_as_user(app) as user:
|
|
|
|
r = user.get("/settings")
|
|
assert r.status_code == 200
|
|
|
|
data = {"confirm": "password", "password": "new_password"}
|
|
|
|
r = user.patch("/api/v1/users/me", json=data)
|
|
assert r.status_code == 200
|
|
|
|
r = user.get("/settings")
|
|
# User initiated their own password change
|
|
# They should not be logged out
|
|
assert r.status_code == 200
|
|
destroy_ctfd(app)
|