First pass at implementing API authentication using new JWT tokens

- NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2026-01-31 23:26:23 -05:00 · 2015-12-15 10:47:20 +00:00
parent 6a3bbbf890
commit dbf70ec1eb
6 changed files with 190 additions and 172 deletions
--- a/tests/app/main/views/test_authentication.py
+++ b/tests/app/main/views/test_authentication.py
@@ -0,0 +1,131 @@
+from flask import json
+from client.jwt import create_jwt_token
+
+
+def test_should_not_allow_request_with_no_token(notify_api):
+    response = notify_api.test_client().get("/")
+    assert response.status_code == 401
+    data = json.loads(response.get_data())
+    assert data['error'] == 'Unauthorized, authentication token must be provided'
+
+
+def test_should_not_allow_request_with_incorrect_header(notify_api):
+    response = notify_api.test_client().get(
+        "/",
+        headers={
+            'Authorization': 'Basic 1234'
+        }
+    )
+    assert response.status_code == 401
+    data = json.loads(response.get_data())
+    assert data['error'] == 'Unauthorized, authentication bearer scheme must be used'
+
+
+def test_should_not_allow_request_with_incorrect_token(notify_api):
+    response = notify_api.test_client().get(
+        "/",
+        headers={
+            'Authorization': 'Bearer 1234'
+        }
+    )
+    assert response.status_code == 403
+    data = json.loads(response.get_data())
+    assert data['error'] == 'Invalid token: signature'
+
+
+def test_should_not_allow_incorrect_path(notify_api):
+    token = create_jwt_token(request_method="GET", request_path="/bad", secret="secret", client_id="client_id")
+    response = notify_api.test_client().get(
+        "/",
+        headers={
+            'Authorization': "Bearer {}".format(token)
+        }
+    )
+    assert response.status_code == 403
+    data = json.loads(response.get_data())
+    assert data['error'] == 'Invalid token: request'
+
+
+def test_should_not_allow_incorrect_method(notify_api):
+    token = create_jwt_token(request_method="POST", request_path="/", secret="secret", client_id="client_id")
+    response = notify_api.test_client().get(
+        "/",
+        headers={
+            'Authorization': "Bearer {}".format(token)
+        }
+    )
+    assert response.status_code == 403
+    data = json.loads(response.get_data())
+    assert data['error'] == 'Invalid token: request'
+
+
+def test_should_not_allow_invalid_secret(notify_api):
+    token = create_jwt_token(request_method="POST", request_path="/", secret="not-so-secret", client_id="client_id")
+    response = notify_api.test_client().get(
+        "/",
+        headers={
+            'Authorization': "Bearer {}".format(token)
+        }
+    )
+    assert response.status_code == 403
+    data = json.loads(response.get_data())
+    assert data['error'] == 'Invalid token: signature'
+
+
+def test_should_allow_valid_token(notify_api):
+    token = create_jwt_token(request_method="GET", request_path="/", secret="secret", client_id="client_id")
+    response = notify_api.test_client().get(
+        "/",
+        headers={
+            'Authorization': 'Bearer {}'.format(token)
+        }
+    )
+    assert response.status_code == 201
+
+
+def test_should_allow_valid_token_with_post_body(notify_api):
+    json_body = json.dumps({
+        "key1": "value1",
+        "key2": "value2",
+        "key3": "value3"
+    })
+    token = create_jwt_token(
+        request_method="POST",
+        request_path="/",
+        secret="secret",
+        client_id="client_id",
+        request_body=json_body
+    )
+    response = notify_api.test_client().post(
+        "/",
+        data=json_body,
+        headers={
+            'Authorization': 'Bearer {}'.format(token)
+        }
+    )
+    assert response.status_code == 200
+
+
+def test_should_not_allow_valid_token_with_invalid_post_body(notify_api):
+    json_body = json.dumps({
+        "key1": "value1",
+        "key2": "value2",
+        "key3": "value3"
+    })
+    token = create_jwt_token(
+        request_method="POST",
+        request_path="/",
+        secret="secret",
+        client_id="client_id",
+        request_body=json_body
+    )
+    response = notify_api.test_client().post(
+        "/",
+        data="spurious",
+        headers={
+            'Authorization': 'Bearer {}'.format(token)
+        }
+    )
+    assert response.status_code == 403
+    data = json.loads(response.get_data())
+    assert data['error'] == 'Invalid token: payload'