Merge pull request #59 from alphagov/add-logging-for-auth-errors

Update the error response from the authentication method
2026-02-05 02:41:14 -05:00 · 2016-02-08 13:36:46 +00:00
parent db1c6749a6 416dd00ac8
commit d99776d6cc
2 changed files with 23 additions and 4 deletions
--- a/app/authentication/auth.py
+++ b/app/authentication/auth.py
@@ -1,10 +1,11 @@
-from flask import request, jsonify, _request_ctx_stack
+from flask import request, jsonify, _request_ctx_stack, current_app
 from client.authentication import decode_jwt_token, get_token_issuer
 from client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError
 from app.dao.api_key_dao import get_unsigned_secrets


 def authentication_response(message, code):
+    current_app.logger.info(message)
    return jsonify(
        error=message
    ), code
@@ -27,8 +28,7 @@ def requires_auth():
        return authentication_response("Invalid token: signature", 403)
    if api_client is None:
        authentication_response("Invalid credentials", 403)
-    # If the api_client does not have any secrets return response saying that
-    errors_resp = authentication_response("Invalid token: api client has no secrets", 403)
+
    for secret in api_client['secret']:
        try:
            decode_jwt_token(
@@ -53,7 +53,6 @@ def requires_auth():


 def fetch_client(client):
-    from flask import current_app
    if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
        return {
            "client": client,
--- a/tests/app/authentication/test_authentication.py
+++ b/tests/app/authentication/test_authentication.py
@@ -214,6 +214,26 @@ def test_authentication_returns_token_expired_when_service_uses_expired_key_and_
            assert data['error'] == 'Invalid token: signature'


+def test_authentication_returns_error_when_api_client_has_no_secrets(notify_api,
+                                                                     notify_db,
+                                                                     notify_db_session):
+    with notify_api.test_request_context():
+        with notify_api.test_client() as client:
+            api_secret = notify_api.config.get('ADMIN_CLIENT_SECRET')
+            token = create_jwt_token(request_method="GET",
+                                     request_path=url_for('service.get_service'),
+                                     secret=api_secret,
+                                     client_id=notify_api.config.get('ADMIN_CLIENT_USER_NAME')
+                                     )
+            notify_api.config['ADMIN_CLIENT_SECRET'] = ''
+            response = client.get(url_for('service.get_service'),
+                                  headers={'Authorization': 'Bearer {}'.format(token)})
+            assert response.status_code == 403
+            error_message = json.loads(response.get_data())
+            assert error_message['error'] == 'Invalid token: signature'
+            notify_api.config['ADMIN_CLIENT_SECRET'] = api_secret
+
+
 def __create_get_token(service_id):
    if service_id:
        return create_jwt_token(request_method="GET",