Check that session doesn't contain password

Author: Bouke

tests/test_views_login.py

@@ -1,3 +1,4 @@
+import json
 from unittest import mock
 
 from django.conf import settings
@@ -397,6 +398,19 @@ def test_missing_management_data(self):
         # view should return HTTP 400 Bad Request
         self.assertEqual(response.status_code, 400)
 
+    def test_no_password_in_session(self):
+        self.create_user()
+        self.enable_otp()
+
+        response = self._post({'auth-username': '[email protected]',
+                               'auth-password': 'secret',
+                               'login_view-current_step': 'auth'})
+        self.assertContains(response, 'Token:')
+
+        session_contents = json.dumps(list(self.client.session.items()))
+
+        self.assertNotIn('secret', session_contents)
+
 
 class BackupTokensTest(UserMixin, TestCase):
     def setUp(self):