Merge pull request #275 from alphagov/fix-auth-bug

This pull request fixes a bug in authentication.
2026-04-20 17:29:54 -04:00 · 2016-04-29 14:52:20 +01:00
parent 519b912edc 11c4696775
commit 559496a518
3 changed files with 25 additions and 2 deletions
--- a/app/authentication/auth.py
+++ b/app/authentication/auth.py
@@ -48,6 +48,8 @@ def requires_auth():
        except TokenDecodeError:
            errors_resp = authentication_response("Invalid token: signature", 403)

+    if not api_client['secret']:
+        errors_resp = authentication_response("Invalid token: signature", 403)
    return errors_resp


--- a/app/celery/tasks.py
+++ b/app/celery/tasks.py
@@ -162,7 +162,7 @@ def process_job(job_id):
        if template.template_type == 'sms':
            send_sms.apply_async((
                str(job.service_id),
-                str(create_uuid()),
+                create_uuid(),
                encrypted,
                datetime.utcnow().strftime(DATETIME_FORMAT)),
                queue='bulk-sms'
@@ -171,7 +171,7 @@ def process_job(job_id):
        if template.template_type == 'email':
            send_email.apply_async((
                str(job.service_id),
-                str(create_uuid()),
+                create_uuid(),
                '"{}" <{}@{}>'.format(
                    service.name,
                    service.email_from,
--- a/tests/app/authentication/test_authentication.py
+++ b/tests/app/authentication/test_authentication.py
@@ -273,6 +273,27 @@ def test_authentication_returns_error_when_api_client_has_no_secrets(notify_api,
            notify_api.config['ADMIN_CLIENT_SECRET'] = api_secret


+def test_authentication_returns_error_when_service_has_no_secrets(notify_api,
+                                                                  notify_db,
+                                                                  notify_db_session,
+                                                                  sample_service,
+                                                                  fake_uuid):
+    with notify_api.test_request_context():
+        with notify_api.test_client() as client:
+            token = create_jwt_token(
+                request_method="GET",
+                request_path='/service',
+                secret=fake_uuid,
+                client_id=str(sample_service.id))
+
+            response = client.get(
+                '/service',
+                headers={'Authorization': 'Bearer {}'.format(token)})
+            assert response.status_code == 403
+            error_message = json.loads(response.get_data())
+            assert error_message['message'] == 'Invalid token: signature'
+
+
 def __create_get_token(service_id):
    if service_id:
        return create_jwt_token(request_method="GET",