diff --git a/app/authentication/auth.py b/app/authentication/auth.py index 8e00870a1..cee297681 100644 --- a/app/authentication/auth.py +++ b/app/authentication/auth.py @@ -9,6 +9,8 @@ from sqlalchemy.orm.exc import NoResultFound from app.dao.services_dao import dao_fetch_service_by_id_with_api_keys +TOKEN_ERROR_GUIDANCE = "See our requirements for JSON Web Tokens at https://docs.notifications.service.gov.uk/rest-api.html#authorisation-header" # noqa + class AuthError(Exception): def __init__(self, message, code, service_id=None, api_key_id=None): @@ -88,7 +90,7 @@ def requires_auth(): except TokenAlgorithmError: # During decoding and validation, it appears the token was created with an algorithm # we don't allow so it fails validation - err_msg = "Invalid token: algorithm used is not HS256" + err_msg = "Invalid token: algorithm used is not HS256. " + TOKEN_ERROR_GUIDANCE raise AuthError(err_msg, 403, service_id=service.id, api_key_id=api_key.id) except TokenDecodeError: # Given the algorithm chosen was fine, we attempted to validate the token but it failed @@ -120,9 +122,9 @@ def __get_token_issuer(auth_token): try: issuer = get_token_issuer(auth_token) except TokenIssuerError: - raise AuthError("Invalid token: iss field not provided", 403) + raise AuthError("Invalid token: iss field not provided. " + TOKEN_ERROR_GUIDANCE, 403) except TokenDecodeError: - raise AuthError("Invalid token: API token is not valid", 403) + raise AuthError("Invalid token: API token is not valid. " + TOKEN_ERROR_GUIDANCE, 403) return issuer diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py index 29464d01c..a6562694d 100644 --- a/tests/app/authentication/test_authentication.py +++ b/tests/app/authentication/test_authentication.py @@ -38,7 +38,7 @@ def test_should_not_allow_request_with_incorrect_token(client, auth_fn): request.headers = {'Authorization': 'Bearer 1234'} with pytest.raises(AuthError) as exc: auth_fn() - assert exc.value.short_message == 'Invalid token: API token is not valid' + assert 'Invalid token: API token is not valid. See our requirements' in exc.value.short_message @pytest.mark.parametrize('auth_fn', [requires_auth, requires_admin_auth]) @@ -59,7 +59,7 @@ def test_should_not_allow_request_with_no_iss(client, auth_fn): request.headers = {'Authorization': 'Bearer {}'.format(token)} with pytest.raises(AuthError) as exc: auth_fn() - assert exc.value.short_message == 'Invalid token: iss field not provided' + assert 'Invalid token: iss field not provided. See our requirements' in exc.value.short_message def test_auth_should_not_allow_request_with_no_iat(client, sample_api_key): @@ -80,6 +80,7 @@ def test_auth_should_not_allow_request_with_no_iat(client, sample_api_key): request.headers = {'Authorization': 'Bearer {}'.format(token)} with pytest.raises(AuthError) as exc: requires_auth() + # TODO: This is not the correct error message to show here assert exc.value.short_message == 'Invalid token: API key not found' @@ -123,7 +124,7 @@ def test_auth_should_not_allow_request_with_non_hs256_algorithm(client, sample_a request.headers = {'Authorization': 'Bearer {}'.format(token)} with pytest.raises(AuthError) as exc: requires_auth() - assert 'Invalid token: algorithm used is not HS256' in exc.value.short_message + assert 'Invalid token: algorithm used is not HS256. See our requirements' in exc.value.short_message def test_auth_should_not_allow_request_with_extra_claims(client, sample_api_key): @@ -145,6 +146,7 @@ def test_auth_should_not_allow_request_with_extra_claims(client, sample_api_key) request.headers = {'Authorization': 'Bearer {}'.format(token)} with pytest.raises(AuthError) as exc: requires_auth() + # TODO: this is not the correct error message to show here assert exc.value.short_message == 'Invalid token: API key not found'