From 877a8a0411f29555c3280ec724c514ccbf93d570 Mon Sep 17 00:00:00 2001
From: Rebecca Law <rebecca.law@digital.cabinet-office.gov.uk>
Date: Mon, 8 Feb 2016 11:10:54 +0000
Subject: [PATCH 1/2] Added logging for the authentication errors. Moved the
 "no api secret" error message to the end and only create it if there are no
 api client secrets

---
 app/authentication/auth.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/app/authentication/auth.py b/app/authentication/auth.py
index 0f4100e6d..8172a91b1 100644
--- a/app/authentication/auth.py
+++ b/app/authentication/auth.py
@@ -1,10 +1,11 @@
-from flask import request, jsonify, _request_ctx_stack
+from flask import request, jsonify, _request_ctx_stack, current_app
 from client.authentication import decode_jwt_token, get_token_issuer
 from client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError
 from app.dao.api_key_dao import get_unsigned_secrets
 
 
 def authentication_response(message, code):
+    current_app.logger.info(message)
     return jsonify(
         error=message
     ), code
@@ -27,8 +28,8 @@ def requires_auth():
         return authentication_response("Invalid token: signature", 403)
     if api_client is None:
         authentication_response("Invalid credentials", 403)
-    # If the api_client does not have any secrets return response saying that
-    errors_resp = authentication_response("Invalid token: api client has no secrets", 403)
+
+    errors_resp = None
     for secret in api_client['secret']:
         try:
             decode_jwt_token(
@@ -49,11 +50,14 @@ def requires_auth():
         except TokenDecodeError:
             errors_resp = authentication_response("Invalid token: signature", 403)
 
+    if errors_resp is None:
+        # If we got this far with out any errors then the api client has no secrets
+        errors_resp = authentication_response("Invalid token: api client has no secrets", 403)
+
     return errors_resp
 
 
 def fetch_client(client):
-    from flask import current_app
     if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
         return {
             "client": client,

From 416dd00ac82aba84ac6630db1647bf75cfa7bf6d Mon Sep 17 00:00:00 2001
From: Rebecca Law <rebecca.law@digital.cabinet-office.gov.uk>
Date: Mon, 8 Feb 2016 11:29:53 +0000
Subject: [PATCH 2/2] Added a test for the case when there is no secret for the
 api client.

Fix codestyle
---
 app/authentication/auth.py                    |  5 -----
 .../app/authentication/test_authentication.py | 20 +++++++++++++++++++
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/app/authentication/auth.py b/app/authentication/auth.py
index 8172a91b1..8cf9e187c 100644
--- a/app/authentication/auth.py
+++ b/app/authentication/auth.py
@@ -29,7 +29,6 @@ def requires_auth():
     if api_client is None:
         authentication_response("Invalid credentials", 403)
 
-    errors_resp = None
     for secret in api_client['secret']:
         try:
             decode_jwt_token(
@@ -50,10 +49,6 @@ def requires_auth():
         except TokenDecodeError:
             errors_resp = authentication_response("Invalid token: signature", 403)
 
-    if errors_resp is None:
-        # If we got this far with out any errors then the api client has no secrets
-        errors_resp = authentication_response("Invalid token: api client has no secrets", 403)
-
     return errors_resp
 
 
diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py
index ea6567a8a..74c67c4ef 100644
--- a/tests/app/authentication/test_authentication.py
+++ b/tests/app/authentication/test_authentication.py
@@ -214,6 +214,26 @@ def test_authentication_returns_token_expired_when_service_uses_expired_key_and_
             assert data['error'] == 'Invalid token: signature'
 
 
+def test_authentication_returns_error_when_api_client_has_no_secrets(notify_api,
+                                                                     notify_db,
+                                                                     notify_db_session):
+    with notify_api.test_request_context():
+        with notify_api.test_client() as client:
+            api_secret = notify_api.config.get('ADMIN_CLIENT_SECRET')
+            token = create_jwt_token(request_method="GET",
+                                     request_path=url_for('service.get_service'),
+                                     secret=api_secret,
+                                     client_id=notify_api.config.get('ADMIN_CLIENT_USER_NAME')
+                                     )
+            notify_api.config['ADMIN_CLIENT_SECRET'] = ''
+            response = client.get(url_for('service.get_service'),
+                                  headers={'Authorization': 'Bearer {}'.format(token)})
+            assert response.status_code == 403
+            error_message = json.loads(response.get_data())
+            assert error_message['error'] == 'Invalid token: signature'
+            notify_api.config['ADMIN_CLIENT_SECRET'] = api_secret
+
+
 def __create_get_token(service_id):
     if service_id:
         return create_jwt_token(request_method="GET",