def test_get_ctms_with_unknown_client_fails(example_contact, anon_client, test_token_settings, client_id_and_secret): """A token with an unknown (deleted?) API client name is an error""" client_id = client_id_and_secret[0] token = create_access_token({"sub": f"api_client:not_{client_id}"}, **test_token_settings) with capture_logs() as caplog: resp = anon_client.get( f"/ctms/{example_contact.email.email_id}", headers={"Authorization": f"Bearer {token}"}, ) assert resp.status_code == 401 assert resp.json() == {"detail": "Could not validate credentials"} assert caplog[0]["auth_fail"] == "No client record"
def test_get_ctms_with_invalid_namespace_fails(example_contact, anon_client, test_token_settings, client_id_and_secret): """Calling an authenticated API with an unexpected namespace is an error""" client_id = client_id_and_secret[0] token = create_access_token({"sub": f"unknown:{client_id}"}, **test_token_settings) with capture_logs() as caplog: resp = anon_client.get( f"/ctms/{example_contact.email.email_id}", headers={"Authorization": f"Bearer {token}"}, ) assert resp.status_code == 401 assert resp.json() == {"detail": "Could not validate credentials"} assert caplog[0]["auth_fail"] == "Bad namespace"
def test_get_ctms_with_token(example_contact, anon_client, test_token_settings, client_id_and_secret): """An authenticated API can be fetched with a valid token""" client_id = client_id_and_secret[0] token = create_access_token({"sub": f"api_client:{client_id}"}, **test_token_settings) token_headers = jwt.get_unverified_headers(token) assert token_headers == { "alg": "HS256", "typ": "JWT", } resp = anon_client.get( f"/ctms/{example_contact.email.email_id}", headers={"Authorization": f"Bearer {token}"}, ) assert resp.status_code == 200
def test_get_ctms_with_expired_token_fails(example_contact, anon_client, test_token_settings, client_id_and_secret): """Calling an authenticated API with an expired token is an error""" yesterday = datetime.now(timezone.utc) - timedelta(days=1) client_id = client_id_and_secret[0] token = create_access_token({"sub": f"api_client:{client_id}"}, **test_token_settings, now=yesterday) with capture_logs() as caplog: resp = anon_client.get( f"/ctms/{example_contact.email.email_id}", headers={"Authorization": f"Bearer {token}"}, ) assert resp.status_code == 401 assert resp.json() == {"detail": "Could not validate credentials"} assert caplog[0]["auth_fail"] == "No or bad token"
def test_get_ctms_with_invalid_token_fails(example_contact, anon_client, test_token_settings, client_id_and_secret): """Calling an authenticated API with an invalid token is an error""" client_id = client_id_and_secret[0] token = create_access_token( {"sub": f"api_client:{client_id}"}, secret_key="secret_key_from_other_deploy", expires_delta=test_token_settings["expires_delta"], ) with capture_logs() as caplog: resp = anon_client.get( f"/ctms/{example_contact.email.email_id}", headers={"Authorization": f"Bearer {token}"}, ) assert resp.status_code == 401 assert resp.json() == {"detail": "Could not validate credentials"} assert caplog[0]["auth_fail"] == "No or bad token"
def test_get_ctms_with_disabled_client_fails(dbsession, example_contact, anon_client, test_token_settings, client_id_and_secret): """Calling an authenticated API with a valid token for an expired client is an error.""" client_id = client_id_and_secret[0] token = create_access_token({"sub": f"api_client:{client_id}"}, **test_token_settings) api_client = get_api_client_by_id(dbsession, client_id) api_client.enabled = False dbsession.commit() with capture_logs() as caplog: resp = anon_client.get( f"/ctms/{example_contact.email.email_id}", headers={"Authorization": f"Bearer {token}"}, ) assert resp.status_code == 400 assert resp.json() == {"detail": "API Client has been disabled"} assert caplog[0]["auth_fail"] == "Client disabled"