From 9e4f840d2d831729f02ae87dbe214acb330f087d Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 13 Dec 2020 20:38:56 +0100
Subject: [PATCH] api: add token tests

---
 authentik/api/auth.py  |  3 ++-
 authentik/api/tests.py | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 authentik/api/tests.py

diff --git a/authentik/api/auth.py b/authentik/api/auth.py
index 9b0163356..18f246409 100644
--- a/authentik/api/auth.py
+++ b/authentik/api/auth.py
@@ -1,5 +1,6 @@
 """API Authentication"""
 from base64 import b64decode
+from binascii import Error
 from typing import Any, Optional, Tuple, Union
 
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
@@ -24,7 +25,7 @@ def token_from_header(raw_header: bytes) -> Optional[Token]:
             return None
     try:
         auth_credentials = b64decode(auth_credentials.encode()).decode()
-    except UnicodeDecodeError:
+    except (UnicodeDecodeError, Error):
         return None
     # Accept credentials with username and without
     if ":" in auth_credentials:
diff --git a/authentik/api/tests.py b/authentik/api/tests.py
new file mode 100644
index 000000000..855958e21
--- /dev/null
+++ b/authentik/api/tests.py
@@ -0,0 +1,40 @@
+"""Test API Authentication"""
+from base64 import b64encode
+
+from django.test import TestCase
+from guardian.shortcuts import get_anonymous_user
+
+from authentik.api.auth import token_from_header
+from authentik.core.models import Token, TokenIntents
+
+
+class TestAPIAuth(TestCase):
+    """Test API Authentication"""
+
+    def setUp(self) -> None:
+        super().setUp()
+
+    def test_valid(self):
+        """Test valid token"""
+        token = Token.objects.create(
+            intent=TokenIntents.INTENT_API, user=get_anonymous_user()
+        )
+        auth = b64encode(f":{token.key}".encode()).decode()
+        self.assertEqual(token_from_header(f"Basic {auth}".encode()), token)
+
+    def test_invalid_type(self):
+        """Test invalid type"""
+        self.assertIsNone(token_from_header("foo bar".encode()))
+
+    def test_invalid_decode(self):
+        """Test invalid bas64"""
+        self.assertIsNone(token_from_header("Basic bar".encode()))
+
+    def test_invalid_empty_password(self):
+        """Test invalid with empty password"""
+        self.assertIsNone(token_from_header("Basic :".encode()))
+
+    def test_invalid_no_token(self):
+        """Test invalid with no token"""
+        auth = b64encode(":abc".encode()).decode()
+        self.assertIsNone(token_from_header(f"Basic :{auth}".encode()))