flask server

server/flask/application/test/__init__.py

@@ -0,0 +1,5 @@
+# import os, sys
+
+# currentDir = os.path.dirname(__file__)
+# parentDir = os.path.join(currentDir, '..')
+# sys.path.append(os.path.abspath(parentDir))

server/flask/application/test/backend/__init__.py

@@ -0,0 +1,5 @@
+import os, sys
+
+currentDir = os.path.dirname(__file__)
+parentDir = os.path.join(currentDir, '..')
+sys.path.append(os.path.abspath(parentDir))

server/flask/application/test/backend/test_token_generator_util.py

@@ -0,0 +1,78 @@
+import context
+import unittest
+import unittest.mock
+from copy import copy
+from flask import current_app
+
+import backend.token_generator_util as sut
+
+
+class SessionDAOTest(unittest.TestCase):
+
+    app = context.create_app({**context.default_test_config, "SECRECT_BYTE_COUNT": 52})
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_session_generated_is_proper(self, mock_time):
+        expected = None
+        user_id = 123
+        
+        with self.app.app_context():
+            actual = sut.generate_session(user_id)
+
+        self.assertEqual(20000+1000, actual.access_expires_at)
+        self.assertEqual(50000+1000, actual.refresh_expires_at)
+        self.assertEqual(user_id, actual.user_id)
+        self.assertEqual(70, len(actual.access_token))
+        self.assertEqual(70, len(actual.refresh_token))
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_two_sessions_are_not_equal(self, mock_time):
+        expected = None
+        user_id = 123
+        
+        with self.app.app_context():
+            session1 = sut.generate_session(user_id)
+            session2 = sut.generate_session(user_id)
+
+        session1Copy = copy(session1)
+        self.assertEqual(session1Copy, session1)
+        self.assertIsNot(session1Copy, session1)
+        self.assertNotEqual(session1, session2)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_two_sessions_are_not_equal(self, mock_time):
+        # how to get values = pyotp.TOTP('base32secret3232').at(1000+90)
+        secret = 'base32secret3232'
+        nowCode = 585501
+        nowMinus30SecCode = 572292
+        nowMinus60SecCode = 512128
+        nowMinus90SecCode = 440932
+        nowPlus30SecCode = 602066
+        nowPlus60SecCode = 893795
+        nowPlus90SecCode = 11418
+        with self.app.app_context():
+            actual = sut.verify_otp(secret, nowCode)
+            actual30SecBefore = sut.verify_otp(secret, nowMinus30SecCode)
+            actual60SecBefore = sut.verify_otp(secret, nowMinus60SecCode)
+            actual90SecBefore = sut.verify_otp(secret, nowMinus90SecCode)
+            actual30SecAfter = sut.verify_otp(secret, nowPlus30SecCode)
+            actual60SecAfter = sut.verify_otp(secret, nowPlus60SecCode)
+            actual90SecAfter = sut.verify_otp(secret, nowPlus90SecCode)
+
+        self.assertEqual(True, actual)
+        self.assertEqual(True, actual30SecBefore)
+        self.assertEqual(True, actual60SecBefore)
+        self.assertEqual(True, actual30SecAfter)
+        self.assertEqual(True, actual60SecAfter)
+        self.assertEqual(False, actual90SecBefore)
+        self.assertEqual(False, actual90SecAfter)
+
+    def test_url_is_proper(self):
+        secret = 'base32secret3232'
+        actual = sut.get_url(secret=secret, username='admin')
+        # URL can be verified by using text->QR code on https://www.the-qrcode-generator.com/
+        self.assertEqual('otpauth://totp/FnivesVOD:admin?secret=base32secret3232&issuer=FnivesVOD', actual)
+
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/context.py

@@ -0,0 +1,13 @@
+from backend.flask_project import create_app
+
+default_test_config = {
+    "DATABASE_PATH": "testdb",
+    "SESSION_ACCESS_EXPIRATION_IN_SECONDS": 20000,
+    "SESSION_REFRESH_EXPIRATION_IN_SECONDS": 50000,
+    "DATABASE_PATH": "testdb",
+    "MAX_PASSWORD_LENGTH": 64,
+    "MAX_USERNAME_LENGTH": 64,
+    "MAX_OTP_LENGTH": 16,
+    "MAX_TOKEN_LENGTH": 200,
+    "KEY_LENGTH": 30,
+}

server/flask/application/test/data/__init__.py

@@ -0,0 +1,5 @@
+import os, sys
+
+currentDir = os.path.dirname(__file__)
+parentDir = os.path.join(currentDir, '..')
+sys.path.append(os.path.abspath(parentDir))

server/flask/application/test/data/test_dao_registration_tokens.py

@@ -0,0 +1,75 @@
+import os,sys
+sys.path.append('../')
+import context
+import unittest
+import unittest.mock
+import time
+from flask import current_app
+import backend.data.db as db
+from backend.data.data_models import DataError
+
+import backend.data.dao_registration_tokens as sut
+
+class RegistrationTokenDAOTest(unittest.TestCase):
+
+    app = context.create_app(context.default_test_config)
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def test_empty_db_contains_no_token(self):
+        token = "token"
+        
+        with self.app.app_context():
+            actual = sut.is_valid_token(token)
+
+        self.assertEqual(False, actual)
+    
+    def test_inserted_token_is_found(self):
+        token = "token"
+        
+        with self.app.app_context():
+            sut.insert_token(token)
+            actual = sut.is_valid_token(token)
+
+        self.assertEqual(True, actual)
+
+    def test_same_token_cannot_be_inserted_twice(self):
+        token = "token"
+        
+        with self.app.app_context():
+            sut.insert_token(token)
+            result = sut.insert_token(token)
+
+        self.assertEqual(DataError.REGISTRATION_CODE_ALREADY_EXISTS, result)
+
+    def test_token_deleted_is_not_found(self):
+        token = "token"
+        
+        with self.app.app_context():
+            sut.insert_token(token)
+            sut.delete_token(token)
+            actual = sut.is_valid_token(token)
+
+        self.assertEqual(False, actual)
+
+    def test_tokens_can_be_requested(self):
+        expected = ['token-1', 'token-3']
+        
+        with self.app.app_context():
+            sut.insert_token('token-1')
+            sut.insert_token('token-2')
+            sut.insert_token('token-3')
+            sut.delete_token('token-2')
+            actual = sut.get_tokens()
+
+        self.assertEqual(expected, actual)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/data/test_dao_reset_password_tokens.py

@@ -0,0 +1,83 @@
+import os,sys
+sys.path.append('../')
+import context
+import unittest
+import unittest.mock
+import time
+from flask import current_app
+import backend.data.db as db
+
+import backend.data.dao_reset_password_tokens as sut
+
+class ResetPasswordTokenDAOTest(unittest.TestCase):
+
+    app = context.create_app(context.default_test_config)
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_empty_db_contains_no_token(self, mock_time):
+        token = "token"
+        
+        with self.app.app_context():
+            actual = sut.is_valid_token(token = token, username = "")
+
+        self.assertEqual(False, actual)
+    
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_inserted_token_is_found(self, mock_time):
+        token = "token"
+        username = "usr"
+        
+        with self.app.app_context():
+            sut.insert_token(token = token, username = username, expires_at = 2000)
+            actual = sut.is_valid_token(token = token, username = username)
+
+        self.assertEqual(True, actual)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_inserted_expired_token_is_not_found(self, mock_time):
+        token = "token"
+        username = "usr"
+        
+        with self.app.app_context():
+            sut.insert_token(token = token, username = username, expires_at = 1000)
+            actual = sut.is_valid_token(token = token, username = username)
+
+        self.assertEqual(False, actual)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_token_deleted_is_not_found(self, mock_time):
+        token = "token"
+        username = "usr"
+        
+        with self.app.app_context():
+            sut.insert_token(token = token, username = username, expires_at = 2000)
+            sut.delete_tokens(username = username)
+            actual = sut.is_valid_token(token = token, username = username)
+
+        self.assertEqual(False, actual)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_only_given_user_tokens_are_deleted(self, mock_time):
+        token = "token"
+        username_given = "usr_given"
+        username = "usr_other"
+        
+        with self.app.app_context():
+            sut.insert_token(token = token, username = username_given, expires_at = 2000)
+            sut.insert_token(token = token, username = username, expires_at = 2000)
+            sut.delete_tokens(username = username_given)
+            actual = sut.is_valid_token(token = token, username = username)
+
+        self.assertEqual(True, actual)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/data/test_dao_session.py

@@ -0,0 +1,247 @@
+import os,sys
+sys.path.append('../')
+import context
+import unittest
+import unittest.mock
+import time
+from flask import current_app
+from backend.data import db
+from backend.data.data_models import Session
+
+import backend.data.dao_session as sut
+
+# Notes to myself:
+# test nees tu start with test
+# sys.path.append('../') appends the path so context can be imported
+# with self.app.app_context(): is required to have current_app, if no request is running
+
+class SessionDAOTest(unittest.TestCase):
+
+    app = context.create_app(context.default_test_config)
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+
+    def test_empty_db_contains_no_token(self):
+        expected = None
+        token = "token"
+        
+        with self.app.app_context():
+            actual = sut.get_user_for_token(token)
+
+        self.assertEqual(expected, actual)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_inserted_token_is_found(self, mock_time):
+        assert time.time() == 1000
+        expected = 13
+        token = "token"
+        session = Session(
+            user_id = 13,
+            access_token = token,
+            refresh_token = "refresh_token",
+            access_expires_at = 2000,
+            refresh_expires_at = 4000
+        )
+
+        with self.app.app_context():
+            sut.insert_user_session(session)
+            actual = sut.get_user_for_token(token)
+
+        self.assertEqual(expected, actual)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_same_token_results_in_not_found(self, mock_time):
+        assert time.time() == 1000
+        expected = None
+        token = "token"
+        session1 = Session(
+            user_id = 13,
+            access_token = token,
+            refresh_token = "refresh_token",
+            access_expires_at = 2000,
+            refresh_expires_at = 4000
+        )
+        session2 = Session(
+            user_id = 14,
+            access_token = token,
+            refresh_token = "refresh_token",
+            access_expires_at = 2000,
+            refresh_expires_at = 4000
+        )
+        
+        with self.app.app_context():
+            sut.insert_user_session(session1)
+            sut.insert_user_session(session2)
+            actual = sut.get_user_for_token(token)
+
+        self.assertEqual(expected, actual)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_expired_access_token_isnt_returned(self, mock_time):
+        assert time.time() == 1000
+        expected = None
+        token = "token"
+        session = Session(
+            user_id = 13,
+            access_token = token,
+            refresh_token = "refresh_token",
+            access_expires_at = 500,
+            refresh_expires_at = 2000
+        )
+        
+        with self.app.app_context():
+            sut.insert_user_session(session)
+            actual = sut.get_user_for_token(token)
+
+        self.assertEqual(expected, actual)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_expired_refresh_token_isnt_returned(self, mock_time):
+        assert time.time() == 1000
+        expected = None
+        token = "token"
+        session = Session(
+            user_id = 13,
+            access_token = token,
+            refresh_token = "refresh_token",
+            access_expires_at = 2500,
+            refresh_expires_at = 500
+        )
+        
+        with self.app.app_context():
+            sut.insert_user_session(session)
+            actual = sut.get_user_for_token(token)
+
+        self.assertEqual(expected, actual)
+    
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_deleted_session_isnt_returned(self, mock_time):
+        assert time.time() == 1000
+        expected = None
+        token = "token"
+        session = Session(
+            user_id = 13,
+            access_token = token,
+            refresh_token = "refresh_token",
+            access_expires_at = 1500,
+            refresh_expires_at = 5000
+        )
+        
+        with self.app.app_context():
+            sut.insert_user_session(session = session)
+            sut.delete_user_session(access_token = token)
+            actual = sut.get_user_for_token(access_token = token)
+
+        self.assertEqual(expected, actual)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_deleted_all_user_session_isnt_returned(self, mock_time):
+        assert time.time() == 1000
+        expected = None
+        session1 = Session(
+            user_id = 13,
+            access_token = "token1",
+            refresh_token = "refresh_token1",
+            access_expires_at = 1500,
+            refresh_expires_at = 5000
+        )
+        session2 = Session(
+            user_id = 13,
+            access_token = "token2",
+            refresh_token = "refresh_token2",
+            access_expires_at = 1500,
+            refresh_expires_at = 5000
+        )
+        session_of_different_user = Session(
+            user_id = 14,
+            access_token = "token3",
+            refresh_token = "refresh_token3",
+            access_expires_at = 1500,
+            refresh_expires_at = 5000
+        )
+        
+        with self.app.app_context():
+            sut.insert_user_session(session = session1)
+            sut.insert_user_session(session = session2)
+            sut.insert_user_session(session = session_of_different_user)
+            sut.delete_all_user_session_by_user_id(user_id=13)
+            actual1 = sut.get_user_for_token(access_token = session1.access_token)
+            actual2 = sut.get_user_for_token(access_token = session2.access_token)
+            actual_of_different_user = sut.get_user_for_token(access_token = session_of_different_user.access_token)
+
+        self.assertEqual(expected, actual1)
+        self.assertEqual(expected, actual2)
+        self.assertEqual(session_of_different_user.user_id, actual_of_different_user)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_after_new_single_session_old_session_is_not_returned(self, mock_time):
+        assert time.time() == 1000
+        token = "token"
+        new_token = "new_token"
+        session = Session(
+            user_id = 13,
+            access_token = token,
+            refresh_token = "refresh_token",
+            access_expires_at = 1500,
+            refresh_expires_at = 5000
+        )
+        new_session = session = Session(
+            user_id = 13,
+            access_token = new_token,
+            refresh_token = "refresh_token",
+            access_expires_at = 1500,
+            refresh_expires_at = 5000
+        )
+        expected_old = None
+        expected_new = 13
+        
+        with self.app.app_context():
+            sut.insert_user_session(session = session)
+            sut.create_new_single_session(session = new_session)
+            actual_old = sut.get_user_for_token(access_token = token)
+            actual_new = sut.get_user_for_token(access_token = new_token)
+
+        self.assertEqual(expected_old, actual_old)
+        self.assertEqual(expected_new, actual_new)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_after_swap_refresh_session_old_session_is_not_returned(self, mock_time):
+        assert time.time() == 1000
+        token = "token"
+        new_token = "new_token"
+        session = Session(
+            user_id = 13,
+            access_token = token,
+            refresh_token = "refresh_token",
+            access_expires_at = 1500,
+            refresh_expires_at = 5000
+        )
+        new_session = session = Session(
+            user_id = 13,
+            access_token = new_token,
+            refresh_token = "refresh_token2",
+            access_expires_at = 1500,
+            refresh_expires_at = 5000
+        )
+        expected_old = None
+        expected_new = 13
+        
+        with self.app.app_context():
+            sut.insert_user_session(session = session)
+            sut.swap_refresh_session(refresh_token = session.refresh_token, session = new_session)
+            actual_old = sut.get_user_for_token(access_token = token)
+            actual_new = sut.get_user_for_token(access_token = new_token)
+
+        self.assertEqual(expected_old, actual_old)
+        self.assertEqual(expected_new, actual_new)
+
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/data/test_dao_users.py

@@ -0,0 +1,301 @@
+import os,sys
+sys.path.append('../')
+import context
+import unittest
+import unittest.mock
+import time
+from flask import current_app
+from backend.data import db
+from backend.data.data_models import RegisteringUser
+from backend.data.data_models import User
+from backend.data.data_models import DataError
+
+import backend.data.dao_users as sut
+
+class RegistrationTokenDAOTest(unittest.TestCase):
+
+    app = context.create_app(context.default_test_config)
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def test_empty_db_contains_no_user(self):
+        user_id = 1
+        
+        with self.app.app_context():
+            actual = sut.get_user_by_id(user_id)
+
+        self.assertEqual(None, actual)
+
+    def test_user_inserted_can_be_found_by_id(self):
+        inserted = RegisteringUser(
+            name = "admin",
+            password = "admin",
+            otp_secret = "secret",
+            privileged = True,
+            was_otp_verified = True
+        )
+        expected = User(
+            id = 1,
+            name = "admin",
+            otp_secret = "secret",
+            privileged = True,
+            was_otp_verified = True
+        )
+        
+        with self.app.app_context():
+            user_id = sut.insert_user(inserted)
+            actual = sut.get_user_by_id(user_id)
+
+        self.assertEqual(expected.id, user_id)
+        self.assertEqual(expected, actual)
+
+    def test_deleted_user_cannot_be_found(self):
+        inserted = RegisteringUser(
+            name = "admin",
+            password = "admin",
+            otp_secret = "secret",
+            privileged = True,
+            was_otp_verified = True
+        )
+        expected = None
+        
+        with self.app.app_context():
+            user_id = sut.insert_user(inserted)
+            sut.delete_user_by_id(user_id)
+            actual = sut.get_user_by_id(user_id)
+
+        self.assertEqual(expected, actual)
+
+    def test_user_inserted_can_be_found_by_name(self):
+        inserted = RegisteringUser(
+            name = "admin",
+            password = "admin",
+            otp_secret = "secret",
+            privileged = True,
+            was_otp_verified = True
+        )
+        expected = User(
+            id = 1,
+            name = "admin",
+            otp_secret = "secret",
+            privileged = True,
+            was_otp_verified = True
+        )
+        
+        with self.app.app_context():
+            user_id = sut.insert_user(inserted)
+            actual = sut.get_user_by_name('admin')
+
+        self.assertEqual(expected.id, user_id)
+        self.assertEqual(expected, actual)
+
+    def test_2_user_inserted_can_be_found_by_id(self):
+        inserted1 = RegisteringUser(
+            name = "admin",
+            password = "pass",
+            otp_secret = "secret",
+            privileged = True,
+            was_otp_verified = True
+        )
+        expected1 = User(
+            id = 1,
+            name = "admin",
+            otp_secret = "secret",
+            privileged = True,
+            was_otp_verified = True
+        )
+        inserted2 = RegisteringUser(
+            name = "admin2",
+            password = "pass",
+            otp_secret = "secret",
+            privileged = False,
+        )
+        expected2 = User(
+            id = 2,
+            name = "admin2",
+            otp_secret = "secret",
+            privileged = False,
+            was_otp_verified = False
+        )
+        
+        with self.app.app_context():
+            user_id1 = sut.insert_user(inserted1)
+            actual1 = sut.get_user_by_id(user_id1)
+            user_id2 = sut.insert_user(inserted2)
+            actual2 = sut.get_user_by_id(user_id2)
+
+        self.assertEqual(expected1.id, user_id1)
+        self.assertEqual(expected1, actual1)
+        self.assertEqual(expected2.id, user_id2)
+        self.assertEqual(expected2, actual2)
+
+    def test_2_user_inserted_can_be_get(self):
+        inserted1 = RegisteringUser(
+            name = "admin",
+            password = "pass",
+            otp_secret = "secret",
+            privileged = True,
+            was_otp_verified = True
+        )
+        expected1 = User(
+            id = 1,
+            name = "admin",
+            otp_secret = "secret",
+            privileged = True,
+            was_otp_verified = True
+        )
+        inserted2 = RegisteringUser(
+            name = "admin2",
+            password = "pass",
+            otp_secret = "secret",
+            privileged = False,
+        )
+        expected2 = User(
+            id = 2,
+            name = "admin2",
+            otp_secret = "secret",
+            privileged = False,
+            was_otp_verified = False
+        )
+        
+        with self.app.app_context():
+            user_id1 = sut.insert_user(inserted1)
+            user_id2 = sut.insert_user(inserted2)
+            actual = sut.get_users()
+
+        self.assertEqual([expected1,expected2], list(actual))
+
+
+    def test_user_inserted_can_not_be_found_by_good_name_and_wrong_password(self):
+        inserted = RegisteringUser(
+            name = "admin",
+            password = "pass",
+            otp_secret = "secret"
+        )
+        with self.app.app_context():
+            sut.insert_user(inserted)
+            actual = sut.get_user_by_name_and_password('admin', 'pass2')
+
+        self.assertEqual(None, actual)
+
+    def test_user_inserted_can_not_be_found_by_wrong_name_and_good_password(self):
+        inserted = RegisteringUser(
+            name = "admin",
+            password = "pass",
+            otp_secret = "secret"
+        )
+        with self.app.app_context():
+            sut.insert_user(inserted)
+            actual = sut.get_user_by_name_and_password('admin2', 'pass')
+
+        self.assertEqual(None, actual)
+
+
+    def test_user_inserted_can_be_found_by_name_and_password(self):
+        inserted = RegisteringUser(
+            name = "admin",
+            password = "pass",
+            otp_secret = "secret"
+        )
+        expected = User(
+            id = 1,
+            name = "admin",
+            otp_secret = "secret",
+            privileged = False,
+            was_otp_verified = False
+        )
+        
+        with self.app.app_context():
+            sut.insert_user(inserted)
+            actual = sut.get_user_by_name_and_password('admin', 'pass')
+
+        self.assertEqual(expected, actual)
+
+    def test_update_user_privilige(self):
+        user = RegisteringUser(
+            name = "admin2",
+            password = "pass",
+            otp_secret = "secret"
+        )
+        expected = User(
+            id = 1,
+            name = "admin2",
+            otp_secret = "secret",
+            privileged = True,
+            was_otp_verified = False
+        )
+        
+        with self.app.app_context():
+            user_id = sut.insert_user(user)
+            sut.update_user_privilige(user_id, True)
+            actual = sut.get_user_by_id(user_id)
+        
+        self.assertEqual(expected, actual)
+    
+    def test_update_user_otp_verification(self):
+        user = RegisteringUser(
+            name = "admin2",
+            password = "pass",
+            otp_secret = "secret"
+        )
+        expected = User(
+            id = 1,
+            name = "admin2",
+            otp_secret = "secret",
+            privileged = False,
+            was_otp_verified = True
+        )
+        
+        with self.app.app_context():
+            user_id = sut.insert_user(user)
+            sut.update_user_otp_verification(user_id, True)
+            actual = sut.get_user_by_id(user_id)
+        
+        self.assertEqual(expected, actual)
+
+    def test_insert_user_twice(self):
+        user = RegisteringUser(
+            name = "admin2",
+            password = "pass",
+            otp_secret = "secret"
+        )
+        
+        with self.app.app_context():
+            sut.insert_user(user)
+            actual = sut.insert_user(user)
+
+        self.assertEqual(DataError.USER_NAME_NOT_VALID, actual)
+
+    def test_update_user_password(self):
+        user = RegisteringUser(
+            name = "admin2",
+            password = "pass",
+            otp_secret = "secret"
+        )
+        expected_old = None
+        expected_new = User(
+            id = 1,
+            name = "admin2",
+            otp_secret = "secret",
+            privileged = False,
+            was_otp_verified = False
+        )
+        
+        with self.app.app_context():
+            user_id = sut.insert_user(user)
+            sut.update_user_password(user_id = user_id, new_password = "alma")
+            actual_old = sut.get_user_by_name_and_password(user_name = "admin2", password = "pass")
+            actual_new = sut.get_user_by_name_and_password(user_name = "admin2", password = "alma")
+        
+        self.assertEqual(expected_old, actual_old)
+        self.assertEqual(expected_new, actual_new)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_add_file_metadata.py

@@ -0,0 +1,238 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_session
+from backend.data.data_models import Session
+from backend.data.data_models import RegisteringUser
+
+class AddFileMetadataUnitTest(unittest.TestCase):
+ 
+    url_path = '/file/metadata'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def test_no_headers_returns_unauthorized(self):
+        expected = {'message':'Missing Authorization!','code':440}
+
+        response = self.client.post(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_not_saved_access_token_headers_returns_unauthorized(self):
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        response = self.client.post(self.url_path, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_expired_access_token_headers_returns_unauthorized(self):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=950,
+            refresh_expires_at=1050,
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+        
+        response = self.client.post(self.url_path, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_sending_non_saved_user_error_is_shown(self):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_authenticated_user_sending_data_shows_success(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'File MetaData Saved!','code':203}
+
+        header = {'Authorization': 'token'}
+        data = json.dumps({'key': 'value'})
+        response = self.client.post(self.url_path, headers = header, data = data, content_type='application/json')
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+    
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_authenticated_user_sending_invalid_data_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Couldn\'t save metadata!','code':415}
+
+        header = {'Authorization': 'token'}
+        data = ""
+        response = self.client.post(self.url_path, headers = header, data = data, content_type='application/json')
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_authenticated_user_sending_data_can_be_read(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected_of_key_query = {'key': 'value'}
+        expected_of_key2_query = {'key2':'value2'}
+
+        data = json.dumps({'key': 'value', 'key2': 'value2'})
+        header = {'Authorization': 'token'}
+        self.client.post(self.url_path, headers = header, data = data, content_type='application/json')
+        get_query_key1 = {'file_key': 'key'}
+        response_of_key1 = self.client.get(self.url_path, query_string = get_query_key1, headers = header)
+        get_query_key2 = {'file_key': 'key2'}
+        response_of_key2 = self.client.get(self.url_path, query_string = get_query_key2, headers = header)
+
+        self.assertEqual(200, response_of_key1.status_code)
+        actual_response_json = json.loads(response_of_key1.data.decode())
+        self.assertEqual(expected_of_key_query, actual_response_json)
+
+        actual_response_json = json.loads(response_of_key2.data.decode())
+        self.assertEqual(200, response_of_key2.status_code)
+        self.assertEqual(expected_of_key2_query, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_authenticated_user_data_can_be_overwritten_and_extended(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'key': 'value1'}
+
+        header = {'Authorization': 'token'}
+        data = json.dumps({'key': 'value', 'key2': 'value2'})
+        self.client.post(self.url_path, headers = header, data = data, content_type='application/json')
+        data = json.dumps({'key': 'value1', 'key3': 'value3'})
+        self.client.post(self.url_path, headers = header, data = data, content_type='application/json')
+        get_query = {'file_key': 'key'}
+        response = self.client.get(self.url_path, query_string=get_query, headers = header)
+
+        self.assertEqual(200, response.status_code)
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_authenticated_user_invalid_data_is_not_saved(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'key': 'value'}
+
+        header = {'Authorization': 'token'}
+        data = json.dumps({'key': 'value', 'key2': 'value2'})
+        self.client.post(self.url_path, headers = header, data = data, content_type='application/json')
+        invalid_data = json.dumps([{'key': 'value1', 'key3': 'value3'}])
+        self.client.post(self.url_path, headers = header, data = invalid_data, content_type='application/json')
+        get_query={'file_key':'key'}
+        response = self.client.get(self.url_path, query_string = get_query, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_add_file_metadata_of_user.py

@@ -0,0 +1,228 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_session
+from backend.data.data_models import Session
+from backend.data.data_models import RegisteringUser
+
+class AddFileMetadataOfUserUnitTest(unittest.TestCase):
+ 
+    url_path = '/user/file/metadata'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def test_no_headers_returns_unauthorized(self):
+        expected = {'message':'Missing Authorization!','code':440}
+
+        response = self.client.post(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_not_saved_access_token_headers_returns_unauthorized(self):
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        response = self.client.post(self.url_path, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_expired_access_token_headers_returns_unauthorized(self):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=950,
+            refresh_expires_at=1050,
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+        
+        response = self.client.post(self.url_path, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_sending_non_saved_user_error_is_shown(self):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_authenticated_user_sending_data_shows_success(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'User\'s File MetaData Saved!','code':202}
+
+        header = {'Authorization': 'token'}
+        data = json.dumps({'key': 'value'})
+        response = self.client.post(self.url_path, headers = header, data = data, content_type='application/json')
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+    
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_authenticated_user_sending_invalid_data_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Couldn\'t save user\'s metadata!','code':414}
+
+        header = {'Authorization': 'token'}
+        data = ""
+        response = self.client.post(self.url_path, headers = header, data = data, content_type='application/json')
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_authenticated_user_sending_data_can_be_read(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'key': 'value', 'key2':'value2'}
+
+        header = {'Authorization': 'token'}
+        data = json.dumps({'key': 'value', 'key2': 'value2'})
+        self.client.post(self.url_path, headers = header, data = data, content_type='application/json')
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_authenticated_user_data_can_be_overwritten_and_extended(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'key': 'value1', 'key2':'value2', 'key3': 'value3'}
+
+        header = {'Authorization': 'token'}
+        data = json.dumps({'key': 'value', 'key2': 'value2'})
+        self.client.post(self.url_path, headers = header, data = data, content_type='application/json')
+        data = json.dumps({'key': 'value1', 'key3': 'value3'})
+        self.client.post(self.url_path, headers = header, data = data, content_type='application/json')
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_authenticated_user_invalid_data_is_not_saved(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'key': 'value', 'key2':'value2'}
+
+        header = {'Authorization': 'token'}
+        data = json.dumps({'key': 'value', 'key2': 'value2'})
+        self.client.post(self.url_path, headers = header, data = data, content_type='application/json')
+        invalid_data = json.dumps([{'key': 'value1', 'key3': 'value3'}])
+        self.client.post(self.url_path, headers = header, data = invalid_data, content_type='application/json')
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_change_password.py

@@ -0,0 +1,315 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_session
+from backend.data.data_models import Session
+from backend.data.data_models import RegisteringUser
+
+class PasswordChangeUnitTest(unittest.TestCase):
+ 
+    url_path = '/change/password'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def assertHasSession(self, access_token, user_id):
+        with self.app.app_context():
+            actual = dao_session.get_user_for_token(access_token)
+        self.assertEqual(user_id, actual)
+
+    def test_no_headers_returns_unauthorized(self):
+        expected = {'message':'Missing Authorization!','code':440}
+
+        response = self.client.post(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_not_saved_access_token_headers_returns_unauthorized(self):
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        response = self.client.post(self.url_path, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_expired_access_token_headers_returns_unauthorized(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=950,
+            refresh_expires_at=1050,
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+        
+        response = self.client.post(self.url_path, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_non_saved_user_error_is_shown(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':442}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_no_otp_token_then_error_is_shown(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Token!','code':431}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_invalid_otp_token_then_error_is_shown(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Token!','code':431}
+
+        data = {'otp': 0}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data=data, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_auth_correct_but_no_password_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'Invalid Password!','code':421}
+        
+        data = {'otp': correct_code}
+        response = self.client.post(self.url_path, data = data, headers = {'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_auth_correct_but_no_new_password_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'New Password cannot be empty!','code':422}
+        
+        data = {'otp': correct_code, 'password':'pass'}
+        response = self.client.post(self.url_path, data=data, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_auth_correct_but_invalid_current_password_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'Invalid Password!','code':421}
+        
+        data = {'otp': correct_code, 'password':'pass', 'new_password': 'new_pass'}
+        response = self.client.post(self.url_path, data=data, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_valid_password_change_results_in_new_session(self, mock_time):
+        user = RegisteringUser(
+            name = 'alma',
+            password = 'pass',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected_keys = {'access_token', 'refresh_token', 'expires_at'}
+        
+        correct_code = 585501 #for 1000 and base32secret3232
+        data = {'password':'pass', 'new_password': 'pass2', 'otp': correct_code}
+        response = self.client.post(self.url_path, data=data, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected_keys, set(actual_response_json.keys()))
+        self.assertEqual(actual_response_json['expires_at'], 1000+20000)
+        self.assertHasSession(access_token = actual_response_json['access_token'], user_id = user_id)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_after_password_change_old_session_is_invalid(self, mock_time):
+        user = RegisteringUser(
+            name = 'alma',
+            password = 'pass',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        change_pass_data = {'password':'pass', 'new_password': 'pass2', 'otp': correct_code}
+        response = self.client.post(self.url_path, data=change_pass_data, headers={'Authorization': 'token'})
+        json.loads(response.data.decode())
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        data = {'password':'pass2', 'new_password': 'pass3', 'otp': correct_code}
+        response = self.client.post(self.url_path, data=data, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_after_password_change_new_session_is_valid(self, mock_time):
+        user = RegisteringUser(
+            name = 'alma',
+            password = 'pass',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        change_pass_data = {'password':'pass', 'new_password': 'pass2', 'otp': correct_code}
+        response = self.client.post(self.url_path, data=change_pass_data, headers={'Authorization': 'token'})
+        session_response = json.loads(response.data.decode())
+        expected_keys = {'access_token', 'refresh_token', 'expires_at'}
+        
+        data = {'password':'pass2', 'new_password': 'pass3', 'otp': correct_code}
+        response = self.client.post(self.url_path, data=data, headers={'Authorization': session_response['access_token']})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected_keys, set(actual_response_json.keys()))
+        self.assertEqual(actual_response_json['expires_at'], 1000+20000)
+        self.assertHasSession(access_token = actual_response_json['access_token'], user_id = user_id)
+
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_create_registration_token.py

@@ -0,0 +1,295 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_registration_tokens
+from backend.data import dao_session
+from backend.data.data_models import RegisteringUser
+from backend.data.data_models import Session
+
+class CreateRegistrationTokenUnitTest(unittest.TestCase):
+ 
+    url_path = '/admin/registration_token'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def assertRegistrationTokenIs(self, token: str, is_valid: bool):
+        with self.app.app_context():
+            actual = dao_registration_tokens.is_valid_token(token)
+        self.assertEqual(is_valid, actual)
+    
+    def test_no_headers_returns_unauthorized(self):
+        expected = {'message':'Missing Authorization!','code':440}
+
+        response = self.client.post(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_not_saved_access_token_headers_returns_unauthorized(self):
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers=header)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_expired_access_token_headers_returns_unauthorized(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=950,
+            refresh_expires_at=1050,
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+        
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers=header)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_non_saved_user_error_is_shown(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':442}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_no_otp_token_then_error_is_shown(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Token!','code':431}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_invalid_otp_token_then_error_is_shown(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Token!','code':431}
+
+        data = {'otp': 0}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data=data, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_correct_data_but_not_priviliged_user_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'Not Authorized!','code':460}
+
+        data = {'otp': correct_code}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data=data, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_no_registration_token_returns_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'Invalid Registration Token given!','code':460}
+        
+        data = {'otp': correct_code}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data = data, headers = header)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_blank_registration_token_returns_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'Invalid Registration Token given!','code':460}
+        
+        data = {'registration_token': '      ', 'otp': correct_code}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data = data, headers = header)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+        self.assertRegistrationTokenIs(token = '      ', is_valid = False)
+
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_priviliged_user_sending_correct_data_token_is_saved(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'Registration token Saved!','code':205}
+
+        data = {'registration_token': '123456', 'otp': correct_code}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data=data, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+        self.assertRegistrationTokenIs(token = '123456', is_valid = True)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_priviliged_user_authenticated_sending_same_token_shows_ok(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        data = {'registration_token': '123456', 'otp': correct_code}
+        header = {'Authorization': 'token'}
+        self.client.post(self.url_path, data=data, headers = header)
+        expected = {'message':'Invalid Registration Token given!','code':460}
+
+        response = self.client.post(self.url_path, data=data, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+        self.assertRegistrationTokenIs(token = '123456', is_valid = True)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_create_reset_password_token.py

@@ -0,0 +1,327 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_registration_tokens
+from backend.data import dao_session
+from backend.data.data_models import RegisteringUser
+from backend.data.data_models import Session
+
+class CreateResetPasswordTokenTest(unittest.TestCase):
+ 
+    url_path = '/admin/reset_password_token'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def assertResetPasswordTokenIs(self, token: str, is_valid: bool):
+        with self.app.app_context():
+            actual = dao_registration_tokens.is_valid_token(token)
+        self.assertEqual(is_valid, actual)
+    
+    def test_no_headers_returns_unauthorized(self):
+        expected = {'message':'Missing Authorization!','code':440}
+
+        response = self.client.post(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_not_saved_access_token_headers_returns_unauthorized(self):
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers=header)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_expired_access_token_headers_returns_unauthorized(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=950,
+            refresh_expires_at=1050,
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+        
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers=header)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_non_saved_user_error_is_shown(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':442}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_no_otp_token_then_error_is_shown(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Token!','code':431}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_invalid_otp_token_then_error_is_shown(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Token!','code':431}
+
+        data = {'otp': 0}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data=data, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_correct_data_but_not_priviliged_user_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'Not Authorized!','code':460}
+
+        data = {'otp': correct_code}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data=data, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_no_reset_token_returns_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'Invalid Reset Password Token given!','code':459}
+        
+        data = {'otp': correct_code}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data = data, headers = header)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_blank_reset_token_returns_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'Invalid Reset Password Token given!','code':459}
+        
+        data = {'reset_password_token':' ','otp': correct_code}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data = data, headers = header)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_usernametoreset_not_send_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'username_to_reset cannot be empty!','code':413}
+        
+        data = {'reset_password_token':'a','otp': correct_code}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data = data, headers = header)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_as_authenticated_privilidged_proper_data_then_reset_password_token_is_saved(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'Reset Password token Saved!','code':208}
+        
+        data = {'reset_password_token':'a', 'username_to_reset': 'c','otp': correct_code}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data = data, headers = header)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_resetted_password_token_can_be_user_to_change_password(self, mock_time):
+        admin = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        admin_id = self.insert_user(admin)
+        session = Session(
+            user_id=admin_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        user = RegisteringUser(
+            name = 'alma',
+            password = '',
+            otp_secret = ''
+        )
+        self.insert_user(user)
+        correct_code = 585501 #for 1000 and base32secret3232
+        reset_token = 'a'
+        data = {'reset_password_token':reset_token, 'username_to_reset': user.name,'otp': correct_code}
+        header = {'Authorization': 'token'}
+        self.client.post(self.url_path, data = data, headers = header)
+        expected = {'message':'Password was Saved!','code':201}
+
+        reset_passwod_data = {'reset_password_token':reset_token, 'username': user.name,'password': 'a'}
+        response = self.client.post('/reset/password', data = reset_passwod_data)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=1)

server/flask/application/test/test_delete_registration_token.py

@@ -0,0 +1,214 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_registration_tokens
+from backend.data import dao_session
+from backend.data.data_models import RegisteringUser
+from backend.data.data_models import Session
+
+class DeleteRegistrationTokenUnitTest(unittest.TestCase):
+ 
+    url_path = '/admin/delete/registration_token'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def insert_registration_token(self, token: str):
+        with self.app.app_context():
+            dao_registration_tokens.insert_token(token)
+
+    def assertRegistrationTokenIs(self, token: str, is_valid: bool):
+        with self.app.app_context():
+            actual = dao_registration_tokens.is_valid_token(token)
+        self.assertEqual(is_valid, actual)
+    
+    def test_no_headers_returns_unauthorized(self):
+        expected = {'message':'Missing Authorization!','code':440}
+
+        response = self.client.post(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_not_saved_access_token_headers_returns_unauthorized(self):
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers=header)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_expired_access_token_headers_returns_unauthorized(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=950,
+            refresh_expires_at=1050,
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+        
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers=header)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_non_saved_user_error_is_shown(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':442}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_no_otp_token_then_error_is_shown(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Token!','code':431}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_invalid_otp_token_then_error_is_shown(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Token!','code':431}
+
+        data = {'otp': 0}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data=data, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_correct_data_but_not_priviliged_user_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'Not Authorized!','code':460}
+
+        data = {'otp': correct_code}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data=data, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_priviliged_user_sending_correct_data_token_is_deleted(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        self.insert_registration_token('123456')
+        self.insert_registration_token('abcdef')
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'Token deleted!','code':209}
+
+        data = {'registration_token': '123456', 'otp': correct_code}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data=data, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+        self.assertRegistrationTokenIs(token = '123456', is_valid = False)
+        self.assertRegistrationTokenIs(token = 'abcdef', is_valid = True)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_delete_user.py

@@ -0,0 +1,234 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_registration_tokens
+from backend.data import dao_session
+from backend.data.data_models import RegisteringUser
+from backend.data.data_models import Session
+
+class DeleteTokenUnitTest(unittest.TestCase):
+ 
+    url_path = '/admin/delete/user'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def assert_user(self, user_id: str, exists: bool):
+        with self.app.app_context():
+            actual = dao_users.get_user_by_id(user_id)
+        self.assertEqual(exists, actual is not None)
+
+    def assert_session(self, access_token: str, exists: bool):
+        with self.app.app_context():
+            actual = dao_session.get_user_for_token(access_token)
+        self.assertEqual(exists, actual is not None)
+    
+    def test_no_headers_returns_unauthorized(self):
+        expected = {'message':'Missing Authorization!','code':440}
+
+        response = self.client.post(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_not_saved_access_token_headers_returns_unauthorized(self):
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers=header)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_expired_access_token_headers_returns_unauthorized(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=950,
+            refresh_expires_at=1050,
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+        
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers=header)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_non_saved_user_error_is_shown(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':442}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_no_otp_token_then_error_is_shown(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Token!','code':431}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_invalid_otp_token_then_error_is_shown(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Token!','code':431}
+
+        data = {'otp': 0}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data=data, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_correct_data_but_not_priviliged_user_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'Not Authorized!','code':460}
+
+        data = {'username_to_delete': 'guest-2', 'otp': correct_code}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data=data, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_priviliged_user_sending_correct_data_user_is_deleted(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        guest1_user_id=self.insert_user(RegisteringUser(name = 'guest-1',password = '123',otp_secret = '',))
+        guest2_user_id=self.insert_user(RegisteringUser(name = 'guest-2',password = '123',otp_secret = '',))
+        guest1_session = Session(
+            user_id=guest1_user_id,
+            access_token='a-1',
+            refresh_token='r-1',
+            access_expires_at=2000,
+            refresh_expires_at=3000
+        )
+        guest2_session = Session(
+            user_id=guest2_user_id,
+            access_token='a-2',
+            refresh_token='r-2',
+            access_expires_at=2000,
+            refresh_expires_at=3000
+        )
+        self.insert_session(guest1_session)
+        self.insert_session(guest2_session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'User deleted!','code':206}
+
+        data = {'username_to_delete': 'guest-2', 'otp': correct_code}
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, data=data, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+        self.assert_user(user_id = guest1_user_id, exists = True)
+        self.assert_user(user_id = guest2_user_id, exists = False)
+        self.assert_session(access_token = 'a-1', exists = True)
+        self.assert_session(access_token = 'a-2', exists = False)
+        
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_get_file_metadata.py

@@ -0,0 +1,187 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_session
+from backend.data.data_models import Session
+from backend.data.data_models import RegisteringUser
+
+class GetFileMetadataOfUserUnitTest(unittest.TestCase):
+ 
+    url_path = '/file/metadata'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def test_no_headers_returns_unauthorized(self):
+        expected = {'message':'Missing Authorization!','code':440}
+
+        response = self.client.get(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_not_saved_access_token_headers_returns_unauthorized(self):
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        response = self.client.get(self.url_path, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_expired_access_token_headers_returns_unauthorized(self):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=950,
+            refresh_expires_at=1050,
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+        
+        response = self.client.get(self.url_path, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_sending_non_saved_user_error_is_shown(self):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+    
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_authenticated_user_without_parameter_error_is_shown(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message': 'Invalid FileKey (file_key)!', 'code': 416}
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_authenticated_user_with_no_data_returns_empty(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {}
+
+        header = {'Authorization': 'token'}
+        get_query = {'file_key': 'a'}
+        response = self.client.get(self.url_path, headers = header, query_string = get_query)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_one_users_saved_data_other_can_access_it(self, mock_time):
+        user_with_metadata = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_with_metadata_id = self.insert_user(user_with_metadata)
+        usersession_with_metadata = Session(
+            user_id=user_with_metadata_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(usersession_with_metadata)
+
+        user = RegisteringUser(
+            name = 'other',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token2',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'key': 'value'}
+
+        post_header = {'Authorization': 'token'}
+        data = json.dumps({'key': 'value'})
+        self.client.post(self.url_path, headers = post_header, data = data, content_type='application/json')
+
+        get_header = {'Authorization': 'token2'}
+        get_query = {'file_key': 'key'}
+        response = self.client.get(self.url_path, headers = get_header, query_string=get_query, content_type='application/json')
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_get_file_metadata_of_user.py

@@ -0,0 +1,159 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_session
+from backend.data.data_models import Session
+from backend.data.data_models import RegisteringUser
+
+class GetFileMetadataOfUserUnitTest(unittest.TestCase):
+ 
+    url_path = '/user/file/metadata'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def test_no_headers_returns_unauthorized(self):
+        expected = {'message':'Missing Authorization!','code':440}
+
+        response = self.client.get(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_not_saved_access_token_headers_returns_unauthorized(self):
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        response = self.client.get(self.url_path, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_expired_access_token_headers_returns_unauthorized(self):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=950,
+            refresh_expires_at=1050,
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+        
+        response = self.client.get(self.url_path, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_sending_non_saved_user_error_is_shown(self):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_authenticated_user_with_no_data_returns_empty(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {}
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_one_users_saved_data_other_cant_access_it(self, mock_time):
+        user_with_metadata = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_with_metadata_id = self.insert_user(user_with_metadata)
+        usersession_with_metadata = Session(
+            user_id=user_with_metadata_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(usersession_with_metadata)
+
+        user = RegisteringUser(
+            name = 'other',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token2',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {}
+
+        post_header = {'Authorization': 'token'}
+        data = json.dumps({'key': 'value'})
+        self.client.post(self.url_path, headers = post_header, data = data, content_type='application/json')
+
+        get_header = {'Authorization': 'token2'}
+        response = self.client.get(self.url_path, headers = get_header, data = data, content_type='application/json')
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_get_registration_tokens.py

@@ -0,0 +1,154 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_registration_tokens
+from backend.data import dao_session
+from backend.data.data_models import RegisteringUser
+from backend.data.data_models import Session
+
+class GetRegistrationTokensUnitTest(unittest.TestCase):
+ 
+    url_path = '/admin/get_registration_tokens'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def inser_registration_token(self, token: str):
+        with self.app.app_context():
+            dao_registration_tokens.insert_token(token)
+
+    def test_no_headers_returns_unauthorized(self):
+        expected = {'message':'Missing Authorization!','code':440}
+
+        response = self.client.get(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_not_saved_access_token_headers_returns_unauthorized(self):
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers=header)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_expired_access_token_headers_returns_unauthorized(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=950,
+            refresh_expires_at=1050,
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+        
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers=header)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_non_saved_user_error_is_shown(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':442}
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_correct_data_but_not_priviliged_user_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Not Authorized!','code':460}
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_priviliged_user_with_correct_session_returns_tokens(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        self.inser_registration_token('token-abc-1')
+        self.inser_registration_token('token-abc-2')
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {
+            'registration_tokens':['token-abc-1','token-abc-2']
+        }
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_get_users.py

@@ -0,0 +1,153 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_session
+from backend.data.data_models import RegisteringUser
+from backend.data.data_models import Session
+
+class GetUsersUnitTest(unittest.TestCase):
+ 
+    url_path = '/admin/get_users'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def test_no_headers_returns_unauthorized(self):
+        expected = {'message':'Missing Authorization!','code':440}
+
+        response = self.client.get(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_not_saved_access_token_headers_returns_unauthorized(self):
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers=header)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_expired_access_token_headers_returns_unauthorized(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=950,
+            refresh_expires_at=1050,
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+        
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers=header)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_non_saved_user_error_is_shown(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':442}
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_correct_data_but_not_priviliged_user_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Not Authorized!','code':460}
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_priviliged_user_with_correct_session_returns_users(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        self.insert_user(RegisteringUser(name = 'guest-1',password = 'citrom',otp_secret = ''))
+        self.insert_user(RegisteringUser(name = 'guest-2',password = 'citrom',otp_secret = ''))
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {
+            'users':[
+                {'name': 'banan', 'privileged': True},
+                {'name': 'guest-1', 'privileged': False},
+                {'name': 'guest-2', 'privileged': False},
+            ]
+        }
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_is_user_priviliged.py

@@ -0,0 +1,142 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_session
+from backend.data.data_models import Session
+from backend.data.data_models import RegisteringUser
+
+class IsUserPriviligedcUnitTest(unittest.TestCase):
+ 
+    url_path = '/user/is_privileged'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def test_no_headers_returns_unauthorized(self):
+        expected = {'message':'Missing Authorization!','code':440}
+
+        response = self.client.get(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_not_saved_access_token_headers_returns_unauthorized(self):
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        response = self.client.get(self.url_path, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_expired_access_token_headers_returns_unauthorized(self):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=950,
+            refresh_expires_at=1050,
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+        
+        response = self.client.get(self.url_path, headers={'Authorization': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_sending_non_saved_user_error_is_shown(self):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_priviliged_user_sending_correct_data_result_is_shown(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'is_privileged': True}
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_non_priviliged_user_sending_correct_data_result_is_shown(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = False
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'is_privileged': False}
+
+        header = {'Authorization': 'token'}
+        response = self.client.get(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_login.py

@@ -0,0 +1,129 @@
+import os
+import unittest
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data.data_models import RegisteringUser
+
+class LoginUnitTest(unittest.TestCase):
+ 
+    url_path = '/login'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+    
+    def test_without_username_error_is_shown(self):
+        expected = {'message':'Username cannot be empty!','code':410}
+
+        response = self.client.post(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_without_password_error_is_shown(self):
+        expected = {'message':'Password cannot be empty!','code':420}
+
+        data = {'username': 'myname'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+    
+    def test_sending_non_saved_user_error_is_shown(self):
+        expected = {'message':'User cannot be found!','code':412}
+
+        data = {'username': 'myname', 'password': 'mypass', 'otp': '124'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_sending_non_found_name_by_name_error_is_shown(self):
+        password = 'mypass'
+        user = RegisteringUser(
+            name = "myname",
+            password = password,
+            otp_secret = "base32secret3232"
+        )
+        self.insert_user(user)
+        expected = {'message':'User cannot be found!','code':412}
+
+        data = {'username': 'myname2', 'password': password, 'otp': '124'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_sending_non_found_user_by_password_error_is_shown(self):
+        username = 'myname'
+        user = RegisteringUser(
+            name = username,
+            password = 'pass',
+            otp_secret = "base32secret3232"
+        )
+        self.insert_user(user)
+        expected = {'message':'User cannot be found!','code':412}
+
+        data = {'username': username, 'password': 'pass2', 'otp': '124'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_without_otp_verified_then_secret_is_returned(self):
+        user = RegisteringUser(
+            name = "myname",
+            password = "mypass",
+            otp_secret = "base32secret3232",
+            was_otp_verified = False
+        )
+        self.insert_user(user)
+        expected_keys = {'otp_secret'}
+        expected_format = r'^otpauth://totp/FnivesVOD:myname\?secret=[^&]*&issuer=FnivesVOD$'
+
+        data = {'username': 'myname', 'password': 'mypass'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected_keys, set(actual_response_json.keys()))
+        self.assertRegex(actual_response_json['otp_secret'], expected_format)
+
+    def test_with_otp_verified_success_is_returned(self):
+        user = RegisteringUser(
+            name = "myname",
+            password = "mypass",
+            otp_secret = "base32secret3232",
+            was_otp_verified = True
+        )
+        self.insert_user(user)
+        expected = {'message':'User found!','code':200}
+        
+        data = {'username': 'myname', 'password': 'mypass'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_logout.py

@@ -0,0 +1,71 @@
+import os
+import unittest
+import unittest.mock
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_session
+from backend.data.data_models import Session
+from backend.data.data_models import RegisteringUser
+
+class LogoutUnitTest(unittest.TestCase):
+ 
+    url_path = '/logout'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def assertSession(self, access_token, user_id):
+        with self.app.app_context():
+             actual_user_id = dao_session.get_user_for_token(access_token)
+        self.assertEqual(actual_user_id, user_id)
+
+    def test_no_headers_returns_ok(self):
+        expected = ''
+        response = self.client.post(self.url_path)
+        actual_response = response.data.decode()
+
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response)
+
+    def test_given_invalid_session_returns_ok(self):
+        expected = ''
+        response = self.client.post(self.url_path, headers={'Authorization': 'invalid_token'})
+        actual_response = response.data.decode()
+
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_given_valid_session_returns_and_session_is_invalidated_ok(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='access',
+            refresh_token='refresh',
+            access_expires_at=1010,
+            refresh_expires_at=1020
+        )
+        self.insert_session(session = session)
+        self.assertSession(access_token = 'access', user_id = 2)
+        expected = ''
+        response = self.client.post(self.url_path, headers={'Authorization': 'access'})
+        actual_response = response.data.decode()
+
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response)
+        self.assertSession(access_token = 'access', user_id = None)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_otp_verification.py

@@ -0,0 +1,165 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_session
+from backend.data.data_models import Session
+from backend.data.data_models import RegisteringUser
+
+class OTP_VerificationUnitTest(unittest.TestCase):
+
+    url_path = '/otp_verification'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+
+    def insert_user(self, user):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def assertHasSession(self, access_token, user_id):
+        with self.app.app_context():
+            actual = dao_session.get_user_for_token(access_token)
+        self.assertEqual(user_id, actual)
+
+    def assertUserOTPIs(self, user_id, was_otp_verified):
+        with self.app.app_context():
+            actual = dao_users.get_user_by_id(user_id)
+        self.assertEqual(was_otp_verified, actual.was_otp_verified)
+    
+    def test_without_username_error_is_shown(self):
+        expected = {'message':'Username cannot be empty!','code':410}
+        
+        response = self.client.post(self.url_path)
+        
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_without_password_error_is_shown(self):
+        expected = {'message':'Password cannot be empty!','code':420}
+
+        data = {'username': 'myname'}
+        response = self.client.post(self.url_path, data=data)
+        
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+    
+    def test_sending_non_saved_user_error_is_shown(self):
+        expected = {'message':'User cannot be found!','code':412}
+
+        data = {'username': 'myname', 'password': 'mypass', 'otp': '124'}
+        response = self.client.post(self.url_path, data=data)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_sending_non_found_user_by_name_error_is_shown(self):
+        password = 'mypass'
+        user = RegisteringUser(
+            name = "myname",
+            password = password,
+            otp_secret = "base32secret3232"
+        )
+        user_id = self.insert_user(user)
+        expected = {'message':'User cannot be found!','code':412}
+
+        data = {'username': 'myname2', 'password': password, 'otp': '124'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+        self.assertUserOTPIs(user_id = user_id, was_otp_verified = False)
+
+    def test_sending_non_found_user_by_password_error_is_shown(self):
+        username = 'myname'
+        user = RegisteringUser(
+            name = username,
+            password = 'pass',
+            otp_secret = "base32secret3232"
+        )
+        user_id = self.insert_user(user)
+        expected = {'message':'User cannot be found!','code':412}
+
+        data = {'username': username, 'password': 'pass2', 'otp': '124'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+        self.assertUserOTPIs(user_id = user_id, was_otp_verified = False)
+
+    def test_without_otp_error_is_shown(self):
+        user = RegisteringUser(
+            name = "myname",
+            password = "mypass",
+            otp_secret = "base32secret3232"
+        )
+        user_id = self.insert_user(user)
+        expected = {'message':'Invalid Token!','code':431}
+
+        data = {'username': 'myname', 'password': 'mypass'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+        self.assertUserOTPIs(user_id = user_id, was_otp_verified = False)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_invalid_otp_token_then_error_is_shown(self, mock_time):
+        user = RegisteringUser(
+            name = "myname",
+            password = "mypass",
+            otp_secret = "base32secret3232"
+        )
+        user_id = self.insert_user(user)
+        invalid_code = 1
+        expected = {'message':'Invalid Token!','code':431}
+
+        data = {'username': 'myname', 'password': 'mypass', 'otp': '{}'.format(invalid_code)}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+        self.assertUserOTPIs(user_id = user_id, was_otp_verified = False)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_proper_otp_token_then_session_is_returned(self, mock_time):
+        user = RegisteringUser(
+            name = "myname",
+            password = "mypass",
+            otp_secret = "base32secret3232"
+        )
+        user_id = self.insert_user(user)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected_keys = {'access_token', 'refresh_token', 'expires_at'}
+        
+        data = {'username': 'myname', 'password': 'mypass', 'otp': '{}'.format(correct_code)}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected_keys, set(actual_response_json.keys()))
+        self.assertEqual(actual_response_json['expires_at'], 1000+20000)
+        self.assertHasSession(access_token = actual_response_json['access_token'], user_id = user_id)
+        self.assertUserOTPIs(user_id = user_id, was_otp_verified = True)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_refresh_token.py

@@ -0,0 +1,118 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_session
+from backend.data.data_models import RegisteringUser
+from backend.data.data_models import Session
+
+class RefreshTokenUnitTest(unittest.TestCase):
+
+    url_path = '/refresh/token'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def assertHasSession(self, access_token, user_id):
+        with self.app.app_context():
+            actual = dao_session.get_user_for_token(access_token)
+        self.assertEqual(user_id, actual)
+    
+    def test_no_refresh_token_returns_error(self):
+        expected = {'message':'Invalid Refresh Token!','code':450}
+
+        response = self.client.post(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_not_saved_refresh_token_returns_error(self):
+        expected = {'message':'Invalid Refresh Token!','code':450}
+
+        response = self.client.post(self.url_path, data={'refresh_token': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_if_token_is_exists_2_times_then_invalid(self, mock_time):
+        session1 = Session(
+            user_id = 1,
+            access_token = "a",
+            refresh_token = "token",
+            access_expires_at = 5000,
+            refresh_expires_at = 5000,
+        )
+        session2 = Session(
+            user_id = 2,
+            access_token = "b",
+            refresh_token = "token",
+            access_expires_at = 6000,
+            refresh_expires_at = 6000,
+        )
+        self.insert_session(session1)
+        self.insert_session(session2)
+        expected = {'message':'Invalid Refresh Token!','code':450}
+        
+        response = self.client.post(self.url_path, data={'refresh_token': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_expired_refresh_token_then_invalid(self, mock_time):
+        session = Session(
+            user_id = 1,
+            access_token = "a",
+            refresh_token = "token",
+            access_expires_at = 6000,
+            refresh_expires_at = 900,
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Refresh Token!','code':450}
+        
+        response = self.client.post(self.url_path, data={'refresh_token': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_expired_access_token_but_non_expires_refresh_token_then_new_is_returned(self, mock_time):
+        session = Session(
+            user_id = 1,
+            access_token = "a",
+            refresh_token = "token",
+            access_expires_at = 900,
+            refresh_expires_at = 6000,
+        )
+        self.insert_session(session)
+        expected_keys = {'access_token', 'refresh_token', 'expires_at'}
+        
+        response = self.client.post(self.url_path, data={'refresh_token': 'token'})
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected_keys, set(actual_response_json.keys()))
+        self.assertEqual(actual_response_json['expires_at'], 1000+20000)
+        self.assertHasSession(access_token = actual_response_json['access_token'], user_id = 1)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_registration.py

@@ -0,0 +1,136 @@
+import os,re
+import unittest
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_registration_tokens
+
+class RegistrationUnitTest(unittest.TestCase):
+ 
+    url_path = '/register'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+
+    def save_token(self, token):
+        with self.app.app_context():
+            dao_registration_tokens.insert_token(token)
+
+    def test_without_username_error_is_shown(self):
+        expected = {'message':'Username cannot be empty!','code':410}
+        
+        response = self.client.post(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_without_password_error_is_shown(self):
+        expected = {'message':'Password cannot be empty!','code':420}
+        
+        data = {'username': 'myname'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+    
+    def test_without_otp_error_is_shown(self):
+        expected = {'message':'Invalid Token!','code':430}
+        
+        data = {'username': 'myname', 'password': 'mypass'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_sending_non_saved_otp_token_then_error_is_shown(self):
+        expected = {'message':'Invalid Token!','code':430}
+        
+        data = {'username': 'myname', 'password': 'mypass', 'otp': '124'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_sending_saved_token_with_nonexistent_username_then_otp_secret_is_revealed(self):
+        token = '124'
+        name = 'myname'
+        self.save_token(token)
+        expected_keys = {'otp_secret'}
+        expected_format = r'^otpauth://totp/FnivesVOD:[^?]*\?secret='+re.escape(name)+r'&issuer=FnivesVOD$'
+        
+        data = {'username': 'myname', 'password': 'mypass', 'otp': token}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected_keys, set(actual_response_json.keys()))
+        self.assertRegex(actual_response_json['otp_secret'], expected_format)
+
+    def test_reusing_token_doesnt_work(self):
+        token = '124'
+        self.save_token(token)
+        first_user_data = {'username': 'myname', 'password': 'mypass', 'otp': token}
+        self.client.post(self.url_path, data=first_user_data)
+        expected = {'message':'Invalid Token!','code':430}
+
+        data = {'username': 'myname2', 'password': 'mypass', 'otp': token}
+        response = self.client.post(self.url_path, data=data)
+        
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_sending_saved_otp_token_but_existing_username_then_error_is_shown(self):
+        first_user_token = '124'
+        second_user_token = '125'
+        same_user_name = 'myname'
+        self.save_token(first_user_token)
+        self.save_token(second_user_token)
+        first_user_data = {'username': same_user_name, 'password': 'mypass', 'otp': first_user_token}
+        self.client.post(self.url_path, data=first_user_data)
+        expected = {'message':'Username is already taken!','code':411}
+
+        data = {'username': same_user_name, 'password': 'mypass', 'otp': second_user_token}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_reusing_token_after_existing_user_error_works(self):
+        first_user_token = '124'
+        second_user_token = '125'
+        same_user_name = 'myname'
+        different_user_name = 'myname2'
+        self.save_token(first_user_token)
+        self.save_token(second_user_token)
+        first_user_data = {'username': same_user_name, 'password': 'mypass', 'otp': first_user_token}
+        self.client.post(self.url_path, data=first_user_data)
+        second_user_data = {'username': same_user_name, 'password': 'mypass', 'otp': second_user_token}
+        self.client.post(self.url_path, data=second_user_data)
+        expected_keys = {'otp_secret'}
+        expected_format = r'^otpauth://totp/FnivesVOD:[^?]*\?secret='+re.escape(different_user_name)+r'&issuer=FnivesVOD$'
+
+        data = {'username': different_user_name, 'password': 'mypass', 'otp': second_user_token}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected_keys, set(actual_response_json.keys()))
+        self.assertRegex(actual_response_json['otp_secret'], expected_format)
+
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_reset_password.py

@@ -0,0 +1,204 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_reset_password_tokens
+from backend.data import dao_users
+from backend.data.data_models import RegisteringUser
+
+class ResetPasswordUnitTest(unittest.TestCase):
+ 
+    url_path = '/reset/password'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+
+    def save_token(self, token, username, expires_at):
+        with self.app.app_context():
+            dao_reset_password_tokens.insert_token(token=token,username=username,expires_at=expires_at)
+
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def test_without_username_error_is_shown(self):
+        expected = {'message':'Username cannot be empty!','code':410}
+        
+        response = self.client.post(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_without_password_error_is_shown(self):
+        expected = {'message':'Password cannot be empty!','code':420}
+        
+        data = {'username': 'myname'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+    
+    def test_without_reset_password_token_error_is_shown(self):
+        expected = {'message': 'Invalid Reset Password Token given!','code':461}
+        
+        data = {'username': 'myname', 'password': 'mypass'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_without_valid_reset_password_token_error_is_shown(self):
+        expected = {'message': 'Invalid Reset Password Token given!','code':461}
+        
+        data = {'username': 'myname', 'password': 'mypass', 'reset_password_token': 'alma'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_without_saved_reset_password_token_error_is_shown(self):
+        expected = {'message': 'Invalid Reset Password Token given!','code':461}
+        
+        data = {'username': 'myname', 'password': 'mypass', 'reset_password_token': 'alma'}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_with_expired_reset_password_token_error_is_shown(self, mock_time):
+        expected = {'message': 'Invalid Reset Password Token given!','code':461}
+        token = 'alma'
+        username = 'myname'
+        self.save_token(token = token, username = username, expires_at = 10)
+        
+        data = {'username': username, 'password': 'mypass', 'reset_password_token': token}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_with_valid_registration_token_but_no_user_error_is_shown(self, mock_time):
+        expected = {'message': 'User cannot be found!','code':412}
+        token = 'alma'
+        username = 'myname'
+        self.save_token(token = token, username = username, expires_at = 1100)
+        
+        data = {'username': username, 'password': 'mypass', 'reset_password_token': token}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_with_valid_token_and_user_success_is_shown(self, mock_time):
+        expected = {'message': 'Password was Saved!','code':201}
+        token = 'alma'
+        username = 'myname'
+        self.save_token(token = token, username = username, expires_at = 1100)
+        user = RegisteringUser(
+            name = username,
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        
+        data = {'username': username, 'password': 'mypass', 'reset_password_token': token}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_reset_password_can_be_used(self, mock_time):
+        expected_keys = {'otp_secret'}
+        expected_format = r'^otpauth://totp/FnivesVOD:myname\?secret=[^&]*&issuer=FnivesVOD$'
+        token = 'alma'
+        username = 'myname'
+        self.save_token(token = token, username = username, expires_at = 1100)
+        user = RegisteringUser(
+            name = username,
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        self.insert_user(user)
+        data = {'username': username, 'password': 'mypass', 'reset_password_token': token}
+        self.client.post(self.url_path, data=data)
+
+        login_data = {'username': username, 'password': 'mypass'}
+        response = self.client.post('/login', data=login_data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(200, response.status_code)
+        self.assertEqual(expected_keys, set(actual_response_json.keys()))
+        self.assertRegex(actual_response_json['otp_secret'], expected_format)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_same_token_cannot_be_reused(self, mock_time):
+        expected = {'message': 'Invalid Reset Password Token given!','code':461}
+        token = 'alma'
+        username = 'myname'
+        self.save_token(token = token, username = username, expires_at = 1100)
+        user = RegisteringUser(
+            name = username,
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        self.insert_user(user)
+        data = {'username': username, 'password': 'mypass', 'reset_password_token': token}
+        self.client.post(self.url_path, data=data)
+
+        data = {'username': username, 'password': 'mypass', 'reset_password_token': token}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_no_previous_token_can_be_reused_after_reset(self, mock_time):
+        expected = {'message': 'Invalid Reset Password Token given!','code':461}
+        token = 'alma'
+        token2 = 'alma2'
+        username = 'myname'
+        self.save_token(token = token, username = username, expires_at = 1100)
+        self.save_token(token = token2, username = username, expires_at = 1100)
+        user = RegisteringUser(
+            name = username,
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        self.insert_user(user)
+        data = {'username': username, 'password': 'mypass', 'reset_password_token': token}
+        self.client.post(self.url_path, data=data)
+
+        data = {'username': username, 'password': 'mypass', 'reset_password_token': token2}
+        response = self.client.post(self.url_path, data=data)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)

server/flask/application/test/test_reset_user_otp_verification.py

@@ -0,0 +1,243 @@
+import os
+import unittest
+import unittest.mock
+import json
+from .context import create_app, default_test_config
+from backend.data import db
+from backend.data import dao_users
+from backend.data import dao_registration_tokens
+from backend.data import dao_session
+from backend.data.data_models import RegisteringUser
+from backend.data.data_models import Session
+
+class ResetUserOTPVerificationTest(unittest.TestCase):
+ 
+    url_path = '/admin/reset_otp_verification'
+    app = create_app(default_test_config)
+    client = app.test_client()
+
+    def setUp(self):
+        with self.app.app_context():
+            db.init_db()
+    
+    def tearDown(self):
+        with self.app.app_context():
+            db.close_db()
+        os.remove("testdb")
+    
+    def insert_user(self, user: RegisteringUser):
+        with self.app.app_context():
+            user_id = dao_users.insert_user(user)
+        return user_id
+
+    def insert_session(self, session: Session):
+        with self.app.app_context():
+            dao_session.insert_user_session(session)
+
+    def inser_registration_token(self, token: str):
+        with self.app.app_context():
+            dao_registration_tokens.insert_token(token)
+
+    def test_no_headers_returns_unauthorized(self):
+        expected = {'message':'Missing Authorization!','code':440}
+
+        response = self.client.post(self.url_path)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    def test_not_saved_access_token_headers_returns_unauthorized(self):
+        expected = {'message':'Invalid Authorization!','code':441}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers=header)
+        actual_response_json = json.loads(response.data.decode())
+
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_expired_access_token_headers_returns_unauthorized(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=950,
+            refresh_expires_at=1050,
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':441}
+        
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers=header)
+        actual_response_json = json.loads(response.data.decode())
+        
+        self.assertEqual(401, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_non_saved_user_error_is_shown(self, mock_time):
+        session = Session(
+            user_id=2,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'message':'Invalid Authorization!','code':442}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_correct_authentication_but_no_otp_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232'
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        expected = {'code': 431, 'message': 'Invalid Token!'}
+
+        header = {'Authorization': 'token'}
+        response = self.client.post(self.url_path, headers = header)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_correct_authentication_and_otp_but_not_priviliged_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = False
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'code': 460, 'message': 'Not Authorized!'}
+
+        header = {'Authorization': 'token'}
+        data = {'otp': '{}'.format(correct_code)}
+        response = self.client.post(self.url_path, headers = header, data = data)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_correct_privilidged_authentication_and_otp_without_usertoreset_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'code': 413, 'message': 'username_to_reset cannot be empty!'}
+
+        header = {'Authorization': 'token'}
+        data = {'otp': '{}'.format(correct_code)}
+        response = self.client.post(self.url_path, headers = header, data = data)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_correct_privilidged_authentication_and_otp_but_nonexistent_usertoreset_shows_error(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'message':'User cannot be found!','code':412}
+
+        header = {'Authorization': 'token'}
+        data = {'username_to_reset': 'alma', 'otp': '{}'.format(correct_code)}
+        response = self.client.post(self.url_path, headers = header, data = data)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(400, response.status_code)
+        self.assertEqual(expected, actual_response_json)
+
+    @unittest.mock.patch('time.time', return_value=1000)
+    def test_sending_correct_data_otp_verification_is_updated(self, mock_time):
+        user = RegisteringUser(
+            name = 'banan',
+            password = 'citrom',
+            otp_secret = 'base32secret3232',
+            privileged = True
+        )
+        user_id = self.insert_user(user)
+        user_to_reset = RegisteringUser(
+            name = 'alma',
+            password = '',
+            otp_secret = '',
+            was_otp_verified = True
+        )
+        self.insert_user(user_to_reset)
+        session = Session(
+            user_id=user_id,
+            access_token='token',
+            refresh_token='',
+            access_expires_at=1050,
+            refresh_expires_at=2000
+        )
+        self.insert_session(session)
+        correct_code = 585501 #for 1000 and base32secret3232
+        expected = {'code': 207, 'message': 'OTP Verification Reset!'}
+
+        header = {'Authorization': 'token'}
+        data = {'username_to_reset': '{}'.format(user_to_reset.name), 'otp': '{}'.format(correct_code)}
+        response = self.client.post(self.url_path, headers = header, data = data)
+
+        actual_response_json = json.loads(response.data.decode())
+        self.assertEqual(expected, actual_response_json)
+        self.assertEqual(200, response.status_code)
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)