from datetime import datetime, timedelta from http.cookies import SimpleCookie from unittest.mock import Mock import pytest from sanic import Request, Sanic from sanic.compat import Header from sanic.cookies import Cookie, CookieJar from sanic.cookies.request import CookieRequestParameters from sanic.exceptions import ServerError from sanic.response import text from sanic.response.convenience import json # ------------------------------------------------------------ # # GET # ------------------------------------------------------------ # def test_cookies(app): @app.route("/") def handler(request): cookie_value = request.cookies["test"] response = text(f"Cookies are: {cookie_value}") response.cookies["right_back"] = "at you" return response request, response = app.test_client.get("/", cookies={"test": "working!"}) response_cookies = SimpleCookie() response_cookies.load(response.headers.get("Set-Cookie", {})) assert response.text == "Cookies are: working!" assert response_cookies["right_back"].value == "at you" @pytest.mark.asyncio async def test_cookies_asgi(app): @app.route("/") def handler(request): cookie_value = request.cookies["test"] response = text(f"Cookies are: {cookie_value}") response.cookies["right_back"] = "at you" return response request, response = await app.asgi_client.get( "/", cookies={"test": "working!"} ) response_cookies = SimpleCookie() response_cookies.load(response.headers.get("set-cookie", {})) assert response.body == b"Cookies are: working!" assert response_cookies["right_back"].value == "at you" @pytest.mark.parametrize("httponly,expected", [(False, False), (True, True)]) def test_false_cookies_encoded(app, httponly, expected): @app.route("/") def handler(request): response = text("hello cookies") response.cookies["hello"] = "world" response.cookies["hello"]["httponly"] = httponly return text(response.cookies["hello"].encode("utf8").decode()) request, response = app.test_client.get("/") assert ("HttpOnly" in response.text) == expected @pytest.mark.parametrize("httponly,expected", [(False, False), (True, True)]) def test_false_cookies(app, httponly, expected): @app.route("/") def handler(request): response = text("hello cookies") response.cookies["right_back"] = "at you" response.cookies["right_back"]["httponly"] = httponly return response request, response = app.test_client.get("/") response_cookies = SimpleCookie() response_cookies.load(response.headers.get("Set-Cookie", {})) assert ("HttpOnly" in response_cookies["right_back"].output()) == expected def test_http2_cookies(app): @app.route("/") async def handler(request): cookie_value = request.cookies["test"] response = text(f"Cookies are: {cookie_value}") return response headers = {"cookie": "test=working!"} request, response = app.test_client.get("/", headers=headers) assert response.text == "Cookies are: working!" def test_cookie_options(app): @app.route("/") def handler(request): response = text("OK") response.cookies["test"] = "at you" response.cookies["test"]["httponly"] = True response.cookies["test"]["expires"] = datetime.now() + timedelta( seconds=10 ) return response request, response = app.test_client.get("/") response_cookies = SimpleCookie() response_cookies.load(response.headers.get("Set-Cookie", {})) assert response_cookies["test"].value == "at you" assert response_cookies["test"]["httponly"] is True def test_cookie_deletion(app): cookie_jar = None @app.route("/") def handler(request): nonlocal cookie_jar response = text("OK") del response.cookies["one"] response.cookies["two"] = "testing" del response.cookies["two"] cookie_jar = response.cookies return response _, response = app.test_client.get("/") assert cookie_jar.get_cookie("one").max_age == 0 assert cookie_jar.get_cookie("two").max_age == 0 assert len(response.cookies) == 0 def test_cookie_reserved_cookie(): with pytest.raises(expected_exception=KeyError) as e: Cookie("domain", "testdomain.com") assert e.message == "Cookie name is a reserved word" def test_cookie_illegal_key_format(): with pytest.raises(expected_exception=KeyError) as e: Cookie("testå", "test") assert e.message == "Cookie key contains illegal characters" def test_cookie_set_unknown_property(): c = Cookie("test_cookie", "value") with pytest.raises(expected_exception=KeyError) as e: c["invalid"] = "value" assert e.message == "Unknown cookie property" def test_cookie_set_same_key(app): cookies = {"test": "wait"} @app.get("/") def handler(request): response = text("pass") response.cookies["test"] = "modified" response.cookies["test"] = "pass" return response request, response = app.test_client.get("/", cookies=cookies) assert response.status == 200 assert response.cookies["test"] == "pass" @pytest.mark.parametrize("max_age", ["0", 30, "30"]) def test_cookie_max_age(app, max_age): cookies = {"test": "wait"} @app.get("/") def handler(request): response = text("pass") response.cookies["test"] = "pass" response.cookies["test"]["max-age"] = max_age return response request, response = app.test_client.get( "/", cookies=cookies, raw_cookies=True ) assert response.status == 200 cookie = response.cookies.get("test") if ( str(max_age).isdigit() and int(max_age) == float(max_age) and int(max_age) != 0 ): cookie_expires = datetime.utcfromtimestamp( response.raw_cookies["test"].expires ).replace(microsecond=0) # Grabbing utcnow after the response may lead to it being off slightly. # Therefore, we 0 out the microseconds, and accept the test if there # is a 1 second difference. expires = datetime.utcnow().replace(microsecond=0) + timedelta( seconds=int(max_age) ) assert cookie == "pass" assert ( cookie_expires == expires or cookie_expires == expires + timedelta(seconds=-1) ) else: assert cookie is None @pytest.mark.parametrize("max_age", [30.0, 30.1, "test"]) def test_cookie_bad_max_age(app, max_age): cookies = {"test": "wait"} @app.get("/") def handler(request): response = text("pass") response.cookies["test"] = "pass" response.cookies["test"]["max-age"] = max_age return response request, response = app.test_client.get( "/", cookies=cookies, raw_cookies=True ) assert response.status == 500 @pytest.mark.parametrize("expires", [timedelta(seconds=60)]) def test_cookie_expires(app: Sanic, expires: timedelta): expires_time = datetime.utcnow().replace(microsecond=0) + expires cookies = {"test": "wait"} @app.get("/") def handler(request): response = text("pass") response.cookies["test"] = "pass" response.cookies["test"]["expires"] = expires_time return response request, response = app.test_client.get( "/", cookies=cookies, raw_cookies=True ) cookie_expires = datetime.utcfromtimestamp( response.raw_cookies["test"].expires ).replace(microsecond=0) assert response.status == 200 assert response.cookies["test"] == "pass" assert cookie_expires == expires_time @pytest.mark.parametrize("expires", ["Fri, 21-Dec-2018 15:30:00 GMT"]) def test_cookie_expires_illegal_instance_type(expires): c = Cookie("test_cookie", "value") with pytest.raises(expected_exception=TypeError) as e: c["expires"] = expires assert e.message == "Cookie 'expires' property must be a datetime" @pytest.mark.parametrize("value", ("foo=one; foo=two", "foo=one;foo=two")) def test_request_with_duplicate_cookie_key(value): headers = Header({"Cookie": value}) request = Request(b"/", headers, "1.1", "GET", Mock(), Mock()) assert request.cookies["foo"] == "one" assert request.cookies.get("foo") == "one" assert request.cookies.getlist("foo") == ["one", "two"] assert request.cookies.get("bar") is None def test_cookie_jar_cookies(): headers = Header() jar = CookieJar(headers) jar.add_cookie("foo", "one") jar.add_cookie("foo", "two", domain="example.com") assert len(jar.cookies) == 2 assert len(headers) == 2 def test_cookie_jar_has_cookie(): headers = Header() jar = CookieJar(headers) jar.add_cookie("foo", "one") jar.add_cookie("foo", "two", domain="example.com") assert jar.has_cookie("foo") assert jar.has_cookie("foo", domain="example.com") assert not jar.has_cookie("foo", path="/unknown") assert not jar.has_cookie("bar") def test_cookie_jar_get_cookie(): headers = Header() jar = CookieJar(headers) cookie1 = jar.add_cookie("foo", "one") cookie2 = jar.add_cookie("foo", "two", domain="example.com") assert jar.get_cookie("foo") is cookie1 assert jar.get_cookie("foo", domain="example.com") is cookie2 assert jar.get_cookie("foo", path="/unknown") is None assert jar.get_cookie("bar") is None def test_cookie_jar_add_cookie_encode(): headers = Header() jar = CookieJar(headers) jar.add_cookie("foo", "one") jar.add_cookie( "foo", "two", domain="example.com", path="/something", secure=True, max_age=999, httponly=True, samesite="strict", ) jar.add_cookie("foo", "three", secure_prefix=True) jar.add_cookie("foo", "four", host_prefix=True) jar.add_cookie("foo", "five", host_prefix=True, partitioned=True) encoded = [cookie.encode("ascii") for cookie in jar.cookies] assert encoded == [ b"foo=one; Path=/; SameSite=Lax; Secure", b"foo=two; Path=/something; Domain=example.com; Max-Age=999; SameSite=Strict; Secure; HttpOnly", # noqa b"__Secure-foo=three; Path=/; SameSite=Lax; Secure", b"__Host-foo=four; Path=/; SameSite=Lax; Secure", b"__Host-foo=five; Path=/; SameSite=Lax; Secure; Partitioned", ] def test_cookie_jar_old_school_cookie_encode(): headers = Header() jar = CookieJar(headers) jar["foo"] = "one" jar["bar"] = "two" jar["bar"]["domain"] = "example.com" jar["bar"]["path"] = "/something" jar["bar"]["secure"] = True jar["bar"]["max-age"] = 999 jar["bar"]["httponly"] = True jar["bar"]["samesite"] = "strict" encoded = [cookie.encode("ascii") for cookie in jar.cookies] assert encoded == [ b"foo=one; Path=/", b"bar=two; Path=/something; Domain=example.com; Max-Age=999; SameSite=Strict; Secure; HttpOnly", # noqa ] def test_cookie_jar_delete_cookie_encode(): headers = Header() jar = CookieJar(headers) jar.delete_cookie("foo") jar.delete_cookie("foo", domain="example.com") encoded = [cookie.encode("ascii") for cookie in jar.cookies] assert encoded == [ b'foo=""; Path=/; Max-Age=0; Secure', b'foo=""; Path=/; Domain=example.com; Max-Age=0; Secure', ] def test_cookie_jar_old_school_delete_encode(): headers = Header() jar = CookieJar(headers) del jar["foo"] encoded = [cookie.encode("ascii") for cookie in jar.cookies] assert encoded == [ b'foo=""; Path=/; Max-Age=0; Secure', ] def test_bad_cookie_prarms(): headers = Header() jar = CookieJar(headers) with pytest.raises( ServerError, match=( "Both host_prefix and secure_prefix were requested. " "A cookie should have only one prefix." ), ): jar.add_cookie("foo", "bar", host_prefix=True, secure_prefix=True) with pytest.raises( ServerError, match="Cannot set host_prefix on a cookie without secure=True", ): jar.add_cookie("foo", "bar", host_prefix=True, secure=False) with pytest.raises( ServerError, match="Cannot set host_prefix on a cookie unless path='/'", ): jar.add_cookie( "foo", "bar", host_prefix=True, secure=True, path="/foo" ) with pytest.raises( ServerError, match="Cannot set host_prefix on a cookie with a defined domain", ): jar.add_cookie( "foo", "bar", host_prefix=True, secure=True, domain="foo.bar" ) with pytest.raises( ServerError, match="Cannot set secure_prefix on a cookie without secure=True", ): jar.add_cookie("foo", "bar", secure_prefix=True, secure=False) with pytest.raises( ServerError, match=( "Cannot create a partitioned cookie without " "also setting host_prefix=True" ), ): jar.add_cookie("foo", "bar", partitioned=True) def test_cookie_accessors(app: Sanic): @app.get("/") async def handler(request: Request): return json( { "getitem": { "one": request.cookies["one"], "two": request.cookies["two"], "three": request.cookies["three"], }, "get": { "one": request.cookies.get("one", "fallback"), "two": request.cookies.get("two", "fallback"), "three": request.cookies.get("three", "fallback"), "four": request.cookies.get("four", "fallback"), }, "getlist": { "one": request.cookies.getlist("one", ["fallback"]), "two": request.cookies.getlist("two", ["fallback"]), "three": request.cookies.getlist("three", ["fallback"]), "four": request.cookies.getlist("four", ["fallback"]), }, "getattr": { "one": request.cookies.one, "two": request.cookies.two, "three": request.cookies.three, "four": request.cookies.four, }, } ) _, response = app.test_client.get( "/", cookies={ "__Host-one": "1", "__Secure-two": "2", "three": "3", }, ) assert response.json == { "getitem": { "one": "1", "two": "2", "three": "3", }, "get": { "one": "1", "two": "2", "three": "3", "four": "fallback", }, "getlist": { "one": ["1"], "two": ["2"], "three": ["3"], "four": ["fallback"], }, "getattr": { "one": "1", "two": "2", "three": "3", "four": "", }, } def test_cookie_accessor_hyphens(): cookies = CookieRequestParameters({"session-token": ["abc123"]}) assert cookies.get("session-token") == cookies.session_token def test_cookie_passthru(app): cookie_jar = None @app.route("/") def handler(request): nonlocal cookie_jar response = text("OK") response.add_cookie("one", "1", host_prefix=True) response.delete_cookie("two", secure_prefix=True) cookie_jar = response.cookies return response _, response = app.test_client.get("/") assert cookie_jar.get_cookie("two", secure_prefix=True).max_age == 0 assert len(response.cookies) == 1 assert response.cookies["__Host-one"] == "1"