From e600a199a1acaa8ccfd56961c22e98f8ed7a7d13 Mon Sep 17 00:00:00 2001 From: chrisw Date: Thu, 8 Mar 2018 13:14:56 +0000 Subject: [PATCH] handle malformed invite tokens --- app/accept_invite/rest.py | 5 ++++- .../accept_invite/test_accept_invite_rest.py | 20 +++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/app/accept_invite/rest.py b/app/accept_invite/rest.py index dcdf64b0a..a6ac0773b 100644 --- a/app/accept_invite/rest.py +++ b/app/accept_invite/rest.py @@ -4,7 +4,7 @@ from flask import ( current_app ) -from itsdangerous import SignatureExpired +from itsdangerous import SignatureExpired, BadData from notifications_utils.url_safe_token import check_token @@ -38,6 +38,9 @@ def validate_invitation_token(invitation_type, token): ['Your invitation to GOV.UK Notify has expired. ' 'Please ask the person that invited you to send you another one']} raise InvalidRequest(errors, status_code=400) + except BadData: + errors = {'invitation': 'Something’s wrong with this link. Make sure you’ve copied the whole thing.'} + raise InvalidRequest(errors, status_code=400) if invitation_type == 'service': invited_user = get_invited_user_by_id(invited_user_id) diff --git a/tests/app/accept_invite/test_accept_invite_rest.py b/tests/app/accept_invite/test_accept_invite_rest.py index 407f4705c..ccdd8e42c 100644 --- a/tests/app/accept_invite/test_accept_invite_rest.py +++ b/tests/app/accept_invite/test_accept_invite_rest.py @@ -61,3 +61,23 @@ def test_validate_invitation_token_returns_400_when_invited_user_does_not_exist( json_resp = json.loads(response.get_data(as_text=True)) assert json_resp['result'] == 'error' assert json_resp['message'] == 'No result found' + + +@pytest.mark.parametrize('invitation_type', ['service', 'organisation']) +def test_validate_invitation_token_returns_400_when_token_is_malformed(client, invitation_type): + token = generate_token( + str(uuid.uuid4()), + current_app.config['SECRET_KEY'], + current_app.config['DANGEROUS_SALT'] + )[:-2] + + url = '/invite/{}/{}'.format(invitation_type, token) + auth_header = create_authorization_header() + response = client.get(url, headers=[('Content-Type', 'application/json'), auth_header]) + + assert response.status_code == 400 + json_resp = json.loads(response.get_data(as_text=True)) + assert json_resp['result'] == 'error' + assert json_resp['message'] == { + 'invitation': 'Something’s wrong with this link. Make sure you’ve copied the whole thing.' + }