starlette/tests/middleware/test_session.py

import re

from starlette.applications import Starlette
from starlette.middleware.sessions import SessionMiddleware
from starlette.responses import JSONResponse
from starlette.testclient import TestClient


def view_session(request):
    return JSONResponse({"session": request.session})


async def update_session(request):
    data = await request.json()
    request.session.update(data)
    return JSONResponse({"session": request.session})


async def clear_session(request):
    request.session.clear()
    return JSONResponse({"session": request.session})


def create_app():
    app = Starlette()
    app.add_route("/view_session", view_session)
    app.add_route("/update_session", update_session, methods=["POST"])
    app.add_route("/clear_session", clear_session, methods=["POST"])
    return app


def test_session():
    app = create_app()
    app.add_middleware(SessionMiddleware, secret_key="example")
    client = TestClient(app)

    response = client.get("/view_session")
    assert response.json() == {"session": {}}

    response = client.post("/update_session", json={"some": "data"})
    assert response.json() == {"session": {"some": "data"}}

    # check cookie max-age
    set_cookie = response.headers["set-cookie"]
    max_age_matches = re.search(r"; Max-Age=([0-9]+);", set_cookie)
    assert max_age_matches is not None
    assert int(max_age_matches[1]) == 14 * 24 * 3600

    response = client.get("/view_session")
    assert response.json() == {"session": {"some": "data"}}

    response = client.post("/clear_session")
    assert response.json() == {"session": {}}

    response = client.get("/view_session")
    assert response.json() == {"session": {}}


def test_session_expires():
    app = create_app()
    app.add_middleware(SessionMiddleware, secret_key="example", max_age=-1)
    client = TestClient(app)

    response = client.post("/update_session", json={"some": "data"})
    assert response.json() == {"session": {"some": "data"}}

    # requests removes expired cookies from response.cookies, we need to
    # fetch session id from the headers and pass it explicitly
    expired_cookie_header = response.headers["set-cookie"]
    expired_session_value = re.search(r"session=([^;]*);", expired_cookie_header)[1]
    response = client.get("/view_session", cookies={"session": expired_session_value})
    assert response.json() == {"session": {}}


def test_secure_session():
    app = create_app()
    app.add_middleware(SessionMiddleware, secret_key="example", https_only=True)
    secure_client = TestClient(app, base_url="https://testserver")
    unsecure_client = TestClient(app, base_url="http://testserver")

    response = unsecure_client.get("/view_session")
    assert response.json() == {"session": {}}

    response = unsecure_client.post("/update_session", json={"some": "data"})
    assert response.json() == {"session": {"some": "data"}}

    response = unsecure_client.get("/view_session")
    assert response.json() == {"session": {}}

    response = secure_client.get("/view_session")
    assert response.json() == {"session": {}}

    response = secure_client.post("/update_session", json={"some": "data"})
    assert response.json() == {"session": {"some": "data"}}

    response = secure_client.get("/view_session")
    assert response.json() == {"session": {"some": "data"}}

    response = secure_client.post("/clear_session")
    assert response.json() == {"session": {}}

    response = secure_client.get("/view_session")
    assert response.json() == {"session": {}}
Session cookie expires (#326) * Set Max-Age on session cookies * Format max-age as int 2019-01-18 12:59:27 +00:00			`import re`

Session middleware (#157) * Use isort for consistent import ordering * Add SessionMmiddleware support * Add SessionMiddleware support 2018-10-29 16:16:51 +00:00			`from starlette.applications import Starlette`
			`from starlette.middleware.sessions import SessionMiddleware`
			`from starlette.responses import JSONResponse`
			`from starlette.testclient import TestClient`


			`def view_session(request):`
			`return JSONResponse({"session": request.session})`


			`async def update_session(request):`
			`data = await request.json()`
			`request.session.update(data)`
			`return JSONResponse({"session": request.session})`


Support clearing sessions (#158) * Use isort for consistent import ordering * Add SessionMmiddleware support * Add SessionMiddleware support * Support clearing sessions * Version 0.6.2 2018-10-29 16:43:40 +00:00			`async def clear_session(request):`
			`request.session.clear()`
			`return JSONResponse({"session": request.session})`
Session middleware (#157) * Use isort for consistent import ordering * Add SessionMmiddleware support * Add SessionMiddleware support 2018-10-29 16:16:51 +00:00

Implement session expiry with configurable maximum age (#186) * Set a maximum age for sessions * Test session expiry for full coverage * Fix mypy error * Handle old-style sessions (ie. no timestamp) 2018-11-08 11:59:27 +00:00			`def create_app():`
			`app = Starlette()`
			`app.add_route("/view_session", view_session)`
			`app.add_route("/update_session", update_session, methods=["POST"])`
			`app.add_route("/clear_session", clear_session, methods=["POST"])`
			`return app`


Session middleware (#157) * Use isort for consistent import ordering * Add SessionMmiddleware support * Add SessionMiddleware support 2018-10-29 16:16:51 +00:00			`def test_session():`
Implement session expiry with configurable maximum age (#186) * Set a maximum age for sessions * Test session expiry for full coverage * Fix mypy error * Handle old-style sessions (ie. no timestamp) 2018-11-08 11:59:27 +00:00			`app = create_app()`
			`app.add_middleware(SessionMiddleware, secret_key="example")`
Support clearing sessions (#158) * Use isort for consistent import ordering * Add SessionMmiddleware support * Add SessionMiddleware support * Support clearing sessions * Version 0.6.2 2018-10-29 16:43:40 +00:00			`client = TestClient(app)`

Session middleware (#157) * Use isort for consistent import ordering * Add SessionMmiddleware support * Add SessionMiddleware support 2018-10-29 16:16:51 +00:00			`response = client.get("/view_session")`
			`assert response.json() == {"session": {}}`

			`response = client.post("/update_session", json={"some": "data"})`
			`assert response.json() == {"session": {"some": "data"}}`

Session cookie expires (#326) * Set Max-Age on session cookies * Format max-age as int 2019-01-18 12:59:27 +00:00			`# check cookie max-age`
			`set_cookie = response.headers["set-cookie"]`
			`max_age_matches = re.search(r"; Max-Age=([0-9]+);", set_cookie)`
			`assert max_age_matches is not None`
			`assert int(max_age_matches[1]) == 14 * 24 * 3600`

Session middleware (#157) * Use isort for consistent import ordering * Add SessionMmiddleware support * Add SessionMiddleware support 2018-10-29 16:16:51 +00:00			`response = client.get("/view_session")`
			`assert response.json() == {"session": {"some": "data"}}`
Support clearing sessions (#158) * Use isort for consistent import ordering * Add SessionMmiddleware support * Add SessionMiddleware support * Support clearing sessions * Version 0.6.2 2018-10-29 16:43:40 +00:00
			`response = client.post("/clear_session")`
			`assert response.json() == {"session": {}}`

			`response = client.get("/view_session")`
			`assert response.json() == {"session": {}}`
Implement session expiry with configurable maximum age (#186) * Set a maximum age for sessions * Test session expiry for full coverage * Fix mypy error * Handle old-style sessions (ie. no timestamp) 2018-11-08 11:59:27 +00:00

			`def test_session_expires():`
			`app = create_app()`
			`app.add_middleware(SessionMiddleware, secret_key="example", max_age=-1)`
			`client = TestClient(app)`

			`response = client.post("/update_session", json={"some": "data"})`
			`assert response.json() == {"session": {"some": "data"}}`

Session cookie expires (#326) * Set Max-Age on session cookies * Format max-age as int 2019-01-18 12:59:27 +00:00			`# requests removes expired cookies from response.cookies, we need to`
			`# fetch session id from the headers and pass it explicitly`
			`expired_cookie_header = response.headers["set-cookie"]`
			`expired_session_value = re.search(r"session=([^;]*);", expired_cookie_header)[1]`
			`response = client.get("/view_session", cookies={"session": expired_session_value})`
Implement session expiry with configurable maximum age (#186) * Set a maximum age for sessions * Test session expiry for full coverage * Fix mypy error * Handle old-style sessions (ie. no timestamp) 2018-11-08 11:59:27 +00:00			`assert response.json() == {"session": {}}`
Add security flags to session cookie (#276) * Add security flags to session cookie Flags: Secure, HttpOnly and SameSite=lax * Remove Secure flag * Add options for security flags in SessionMiddleware * Add tests for secure session * Lint files that Travis would like to reformat Only related to pull request * Return space between imports * Add documentation for session security flags options * Format default values 2018-12-17 16:33:41 +00:00

			`def test_secure_session():`
			`app = create_app()`
			`app.add_middleware(SessionMiddleware, secret_key="example", https_only=True)`
			`secure_client = TestClient(app, base_url="https://testserver")`
			`unsecure_client = TestClient(app, base_url="http://testserver")`

			`response = unsecure_client.get("/view_session")`
			`assert response.json() == {"session": {}}`

			`response = unsecure_client.post("/update_session", json={"some": "data"})`
			`assert response.json() == {"session": {"some": "data"}}`

			`response = unsecure_client.get("/view_session")`
			`assert response.json() == {"session": {}}`

			`response = secure_client.get("/view_session")`
			`assert response.json() == {"session": {}}`

			`response = secure_client.post("/update_session", json={"some": "data"})`
			`assert response.json() == {"session": {"some": "data"}}`

			`response = secure_client.get("/view_session")`
			`assert response.json() == {"session": {"some": "data"}}`

			`response = secure_client.post("/clear_session")`
			`assert response.json() == {"session": {}}`

			`response = secure_client.get("/view_session")`
			`assert response.json() == {"session": {}}`