From 1ce91997e8faa99a7e9e0405969a965fb290065e Mon Sep 17 00:00:00 2001 From: Chris Hill-Scott Date: Fri, 16 Sep 2016 08:44:08 +0100 Subject: [PATCH] =?UTF-8?q?Give=20specifc=20error=20when=20service=20doesn?= =?UTF-8?q?=E2=80=99t=20exist?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If you sign a token with a service ID that doesn’t exist (say, for example, that you get service ID and API key mixed up) then you get an error saying that “no API keys exist for the service”. This is wrong because the service doesn’t even exist. This commit adds: - code to check if the service does exist - a specific error message for this case The check does mean an extra database call to look up the service. However this only happens _after_ looping through all the API keys. So it shouldn’t have a performance implication for anyone using a valid API key. --- app/authentication/auth.py | 8 ++++++++ tests/app/authentication/test_authentication.py | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/app/authentication/auth.py b/app/authentication/auth.py index 5353c4e4f..d7f842aab 100644 --- a/app/authentication/auth.py +++ b/app/authentication/auth.py @@ -1,8 +1,11 @@ from flask import request, jsonify, _request_ctx_stack, current_app +from sqlalchemy.orm.exc import NoResultFound + from notifications_python_client.authentication import decode_jwt_token, get_token_issuer from notifications_python_client.errors import TokenDecodeError, TokenExpiredError from app.dao.api_key_dao import get_model_api_keys +from app.dao.services_dao import dao_fetch_service_by_id class AuthError(Exception): @@ -48,6 +51,11 @@ def requires_auth(): _request_ctx_stack.top.api_user = api_key return + try: + dao_fetch_service_by_id(client) + except NoResultFound: + raise AuthError("Invalid token: service not found", 403) + if not api_keys: raise AuthError("Invalid token: no api keys for service", 403) else: diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py index 0fb409dd2..7fdc1b922 100644 --- a/tests/app/authentication/test_authentication.py +++ b/tests/app/authentication/test_authentication.py @@ -211,7 +211,7 @@ def test_authentication_returns_error_when_service_doesnt_exit( ) assert response.status_code == 403 error_message = json.loads(response.get_data()) - assert error_message['message'] == {'token': ['Invalid token: no api keys for service']} + assert error_message['message'] == {'token': ['Invalid token: service not found']} def test_authentication_returns_error_when_service_has_no_secrets(notify_api,