And support this change across our code. Note, this is a halfway step
where it is not a list rather than a string but still only supports a
single secret, ie one item in the list.
This fixes the test in the previous commit and means we will catch other
unexpected jwt errors which are now raised as `TokenError`s and raise an
AuthError based on this.
This will stop us serving 5xx to users when we don't catch an exception.
Also runs make freeze-requirements
The main drive behind this is to allow us to enable http healthchecks on
the `/_status` endpoint. The healthcheck requests are happening directly
on the instances without going to the proxy to get the header properly
set.
In any case, endpoints like `/_status` should be generally accessible by
anything without requiring any form of authorization.
example log line:
```
API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)"
```
if you log a dictionary, python-json-logger will pass that through to
the json output. In the ip restriction wrapper, lets log the ip_address
and whether it was found in the whitelist, to a nested `log_contents`
dict.
when logging json, it looks like this:
{"name": "app", "levelname": "INFO", "message": "Logging configured", "pathname": "/Users/leohemsted/.virtualenvs/api/lib/python3.5/site-packages/notifications_utils/logging.py", "lineno": 98, "log_contents": {"thing": 1, "foo": "bar"}, "requestId": "no-request-id", "time": "2017-07-31T18:09:39", "application": "api", "logType": "application"}
when logging via stdout locally, it looks like this:
2017-07-31T18:11:31 api app INFO no-request-id "{'log_contents': {'foo': 'bar', 'thing': 1}, 'message': 'Logging configured'}" [in /Users/leohemsted/.virtualenvs/api/lib/python3.5/site-packages/notifications_utils
We can then use this later - saving an extra DB query on every client facing API call
- Note this doesn't affect admin calls which do not use the service from the api key, but use the one passed as part of the URL path.
There are three authentication methods:
- requires_no_auth - public endpoint that does not require an Authorisation header
- requires_auth - public endpoints that need an API key in the Authorisation header
- requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user
We’ve seen quite a few developers encounter the `Invalid token: expired`
error message when they’re getting started using the Notify API. When
this happens they either raise a support ticket or ask for help on
Slack.
In every case this has been because the clock on their
machine/environment/container isn’t accurate. The error message doesn’t
help them figure this out.
This commit adds extra detail to the error message so they can fix the
problem without having to come to us for help.
