Add link to docs for api token errors

app/authentication/auth.py

@@ -9,6 +9,8 @@ from sqlalchemy.orm.exc import NoResultFound
 
 from app.dao.services_dao import dao_fetch_service_by_id_with_api_keys
 
+TOKEN_ERROR_GUIDANCE = "See our requirements for JSON Web Tokens at https://docs.notifications.service.gov.uk/rest-api.html#authorisation-header"  # noqa
+
 
 class AuthError(Exception):
     def __init__(self, message, code, service_id=None, api_key_id=None):
@@ -88,7 +90,7 @@ def requires_auth():
         except TokenAlgorithmError:
             # During decoding and validation, it appears the token was created with an algorithm
             # we don't allow so it fails validation
-            err_msg = "Invalid token: algorithm used is not HS256"
+            err_msg = "Invalid token: algorithm used is not HS256. " + TOKEN_ERROR_GUIDANCE
             raise AuthError(err_msg, 403, service_id=service.id, api_key_id=api_key.id)
         except TokenDecodeError:
             # Given the algorithm chosen was fine, we attempted to validate the token but it failed
@@ -120,9 +122,9 @@ def __get_token_issuer(auth_token):
     try:
         issuer = get_token_issuer(auth_token)
     except TokenIssuerError:
-        raise AuthError("Invalid token: iss field not provided", 403)
+        raise AuthError("Invalid token: iss field not provided. " + TOKEN_ERROR_GUIDANCE, 403)
     except TokenDecodeError:
-        raise AuthError("Invalid token: API token is not valid", 403)
+        raise AuthError("Invalid token: API token is not valid. " + TOKEN_ERROR_GUIDANCE, 403)
     return issuer
 
 

tests/app/authentication/test_authentication.py

@@ -38,7 +38,7 @@ def test_should_not_allow_request_with_incorrect_token(client, auth_fn):
     request.headers = {'Authorization': 'Bearer 1234'}
     with pytest.raises(AuthError) as exc:
         auth_fn()
-    assert exc.value.short_message == 'Invalid token: API token is not valid'
+    assert 'Invalid token: API token is not valid. See our requirements' in exc.value.short_message
 
 
 @pytest.mark.parametrize('auth_fn', [requires_auth, requires_admin_auth])
@@ -59,7 +59,7 @@ def test_should_not_allow_request_with_no_iss(client, auth_fn):
     request.headers = {'Authorization': 'Bearer {}'.format(token)}
     with pytest.raises(AuthError) as exc:
         auth_fn()
-    assert exc.value.short_message == 'Invalid token: iss field not provided'
+    assert 'Invalid token: iss field not provided. See our requirements' in exc.value.short_message
 
 
 def test_auth_should_not_allow_request_with_no_iat(client, sample_api_key):
@@ -80,6 +80,7 @@ def test_auth_should_not_allow_request_with_no_iat(client, sample_api_key):
     request.headers = {'Authorization': 'Bearer {}'.format(token)}
     with pytest.raises(AuthError) as exc:
         requires_auth()
+    # TODO: This is not the correct error message to show here
     assert exc.value.short_message == 'Invalid token: API key not found'
 
 
@@ -123,7 +124,7 @@ def test_auth_should_not_allow_request_with_non_hs256_algorithm(client, sample_a
     request.headers = {'Authorization': 'Bearer {}'.format(token)}
     with pytest.raises(AuthError) as exc:
         requires_auth()
-    assert 'Invalid token: algorithm used is not HS256' in exc.value.short_message
+    assert 'Invalid token: algorithm used is not HS256. See our requirements' in exc.value.short_message
 
 
 def test_auth_should_not_allow_request_with_extra_claims(client, sample_api_key):
@@ -145,6 +146,7 @@ def test_auth_should_not_allow_request_with_extra_claims(client, sample_api_key)
     request.headers = {'Authorization': 'Bearer {}'.format(token)}
     with pytest.raises(AuthError) as exc:
         requires_auth()
+    # TODO: this is not the correct error message to show here
     assert exc.value.short_message == 'Invalid token: API key not found'