darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-23 00:41:35 -05:00
Code Issues Packages Projects Releases Wiki Activity

Standardise auth checks for both kinds of API auth

Browse Source 
Previously "requires_auth" and "requires_admin_auth" had similar
but different ways of checking their keys. This switches them to
use the same checks, with the admin / internal auth passing in a
fake / stub set of "api keys" to check.

Pulling out the logic this way will make it easier to unpick the
tests, so we can focus on testing what's unique to each kind of
API auth and avoid future duplication when we start calling the
"requires_internal_auth" method with other client_ids.

Note that a couple of error messages / response codes have changed
for admin / internal auth. None of these occur in practice, so we
can make them consistent with the behaviour for the public API.
This commit is contained in:
Ben Thorner
2021-07-27 18:04:12 +01:00
parent e08d726f05
commit 1d806d65eb
2 changed files with 36 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
tests/app/authentication/test_authentication.py
View File

@@ -134,7 +134,7 @@ def test_requires_admin_auth_should_not_allow_request_with_no_iat(
request.headers = {'Authorization': 'Bearer {}'.format(token)}
with pytest.raises(AuthError) as exc:
requires_admin_auth()
assert exc.value.short_message == "Unauthorized: API authentication token not found"
assert exc.value.short_message == "Invalid token: API key not found"
def test_requires_admin_auth_should_not_allow_request_with_old_iat(
@@ -150,7 +150,7 @@ def test_requires_admin_auth_should_not_allow_request_with_old_iat(
request.headers = {'Authorization': 'Bearer {}'.format(token)}
with pytest.raises(AuthError) as exc:
requires_admin_auth()
assert exc.value.short_message == "Invalid token: expired, check that your system clock is accurate"
assert exc.value.short_message == "Error: Your system clock must be accurate to within 30 seconds"
def test_requires_auth_should_not_allow_request_with_extra_claims(
@@ -342,9 +342,9 @@ def test_requires_admin_auth_returns_error_with_no_secrets(
'/service',
headers={'Authorization': 'Bearer {}'.format(admin_jwt_token)})
assert response.status_code == 401
assert response.status_code == 403
error_message = json.loads(response.get_data())
assert error_message['message'] == {"token": ["Unauthorized: API authentication token not found"]}
assert error_message['message'] == {"token": ["Invalid token: API key not found"]}
def test_requires_admin_auth_returns_error_when_secret_is_invalid(
@@ -359,9 +359,9 @@ def test_requires_admin_auth_returns_error_when_secret_is_invalid(
'/service',
headers={'Authorization': 'Bearer {}'.format(admin_jwt_token)})
assert response.status_code == 401
assert response.status_code == 403
error_message = json.loads(response.get_data())
assert error_message['message'] == {"token": ["Unauthorized: API authentication token not found"]}
assert error_message['message'] == {"token": ["Invalid token: API key not found"]}
def test_requires_auth_returns_error_when_service_doesnt_exist(