Skip to content

Commit 330915e

Browse files
committed
add tests for DRF API token regneration
1 parent 41bc22c commit 330915e

1 file changed

Lines changed: 60 additions & 0 deletions

File tree

tom_common/tests.py

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -232,6 +232,66 @@ def test_user_profile(self):
232232
self.assertEqual(user.profile.affiliation, 'Test University')
233233

234234

235+
class TestRegenerateAPIToken(TestCase):
236+
"""Tests for the RegenerateAPITokenView."""
237+
238+
def setUp(self):
239+
self.admin = User.objects.create_superuser(username='admin', password='admin', email='admin@example.com')
240+
self.user = User.objects.create_user(username='testuser', password='testpass', email='user@example.com')
241+
# Tokens are auto-created by the post_save signal in tom_common.signals
242+
243+
def test_regenerate_own_token(self):
244+
"""A logged-in user can regenerate their own API token."""
245+
self.client.force_login(self.user)
246+
old_token_key = self.user.auth_token.key
247+
248+
# token regeneration happens here
249+
response = self.client.post(reverse('regenerate-api-token', kwargs={'pk': self.user.pk}))
250+
251+
self.user.refresh_from_db()
252+
new_token_key = self.user.auth_token.key
253+
254+
self.assertNotEqual(old_token_key, new_token_key)
255+
self.assertRedirects(response, reverse('user-update', kwargs={'pk': self.user.pk}))
256+
257+
def test_non_superuser_cannot_regenerate_other_user_token(self):
258+
"""A non-superuser cannot regenerate another user's token."""
259+
self.client.force_login(self.user)
260+
old_token_key = self.admin.auth_token.key
261+
262+
response = self.client.post(reverse('regenerate-api-token', kwargs={'pk': self.admin.pk}))
263+
264+
# Should redirect to the requesting user's own update page
265+
self.assertRedirects(response, reverse('user-update', kwargs={'pk': self.user.pk}))
266+
# Admin's token should be unchanged
267+
self.admin.refresh_from_db()
268+
self.assertEqual(old_token_key, self.admin.auth_token.key)
269+
270+
def test_superuser_can_regenerate_other_user_token(self):
271+
"""A superuser can regenerate another user's token."""
272+
self.client.force_login(self.admin)
273+
old_token_key = self.user.auth_token.key
274+
275+
response = self.client.post(reverse('regenerate-api-token', kwargs={'pk': self.user.pk}))
276+
277+
self.user.refresh_from_db()
278+
new_token_key = self.user.auth_token.key
279+
self.assertNotEqual(old_token_key, new_token_key)
280+
self.assertRedirects(response, reverse('user-update', kwargs={'pk': self.user.pk}))
281+
282+
def test_get_request_returns_405(self):
283+
"""GET requests should return 405 Method Not Allowed."""
284+
self.client.force_login(self.user)
285+
response = self.client.get(reverse('regenerate-api-token', kwargs={'pk': self.user.pk}))
286+
self.assertEqual(response.status_code, HTTPStatus.METHOD_NOT_ALLOWED)
287+
288+
def test_unauthenticated_redirects_to_login(self):
289+
"""Unauthenticated requests should redirect to login."""
290+
response = self.client.post(reverse('regenerate-api-token', kwargs={'pk': self.user.pk}))
291+
self.assertRedirects(response, reverse('login') + '?next=' +
292+
reverse('regenerate-api-token', kwargs={'pk': self.user.pk}))
293+
294+
235295
class TestAuthScheme(TestCase):
236296
@override_settings(AUTH_STRATEGY='LOCKED')
237297
def test_user_cannot_access_view(self):

0 commit comments

Comments
 (0)