darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-24 09:21:39 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1752 from alphagov/handle-malformed-tokens-on-invite

Browse Source 
Handle malformed invite tokens
This commit is contained in:
Chris Waszczuk
2018-03-14 10:24:58 +00:00
committed by GitHub
parent 20eb329e49 e600a199a1
commit 08656bde5c
2 changed files with 24 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/accept_invite/rest.py
View File

@@ -4,7 +4,7 @@ from flask import (
current_app
)
from itsdangerous import SignatureExpired
from itsdangerous import SignatureExpired, BadData
from notifications_utils.url_safe_token import check_token
@@ -38,6 +38,9 @@ def validate_invitation_token(invitation_type, token):
['Your invitation to GOV.UK Notify has expired. '
'Please ask the person that invited you to send you another one']}
raise InvalidRequest(errors, status_code=400)
except BadData:
errors = {'invitation': 'Somethings wrong with this link. Make sure youve copied the whole thing.'}
raise InvalidRequest(errors, status_code=400)
if invitation_type == 'service':
invited_user = get_invited_user_by_id(invited_user_id)

20
tests/app/accept_invite/test_accept_invite_rest.py
View File

@@ -61,3 +61,23 @@ def test_validate_invitation_token_returns_400_when_invited_user_does_not_exist(
json_resp = json.loads(response.get_data(as_text=True))
assert json_resp['result'] == 'error'
assert json_resp['message'] == 'No result found'
@pytest.mark.parametrize('invitation_type', ['service', 'organisation'])
def test_validate_invitation_token_returns_400_when_token_is_malformed(client, invitation_type):
token = generate_token(
str(uuid.uuid4()),
current_app.config['SECRET_KEY'],
current_app.config['DANGEROUS_SALT']
)[:-2]
url = '/invite/{}/{}'.format(invitation_type, token)
auth_header = create_authorization_header()
response = client.get(url, headers=[('Content-Type', 'application/json'), auth_header])
assert response.status_code == 400
json_resp = json.loads(response.get_data(as_text=True))
assert json_resp['result'] == 'error'
assert json_resp['message'] == {
'invitation': 'Somethings wrong with this link. Make sure youve copied the whole thing.'
}