Merge pull request #287 from alphagov/auth_headers_the_second

[#69911218] Fix malformed auth header message
alphagov · May 8, 2014 · 85175db · 85175db
2 parents 0e7aaad + 6571475
commit 85175db
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 2 deletions.
diff --git a/backdrop/write/api.py b/backdrop/write/api.py
@@ -238,7 +238,7 @@ def _validate_auth(data_set_config):
     try:
         auth_header = request.headers['Authorization']
     except KeyError:
-        abort(401, 'Authorization header missing.')
+        abort(401, 'Expected header of form: Authorization: Bearer <token>')
 
     if not auth_header_is_valid(data_set_config, auth_header):
         token = extract_bearer_token(auth_header)

diff --git a/features/steps/write_api.py b/features/steps/write_api.py
@@ -49,6 +49,22 @@ def step(context, http_method, path):
     )
 
 
+@when('I {http_method} to "{path}" with a malformed authorization header')
+def step(context, http_method, path):
+    assert http_method in ('POST', 'PUT'), "Only support POST, PUT"
+    http_function = {
+        'POST': context.client.post,
+        'PUT': context.client.put
+    }[http_method]
+
+    context.response = http_function(
+        path,
+        data=context.data_to_post,
+        content_type="application/json",
+        headers=_make_malformed_header_from_context(context),
+    )
+
+
 @when('I POST the file "{filename}" to "/{data_set_name}/upload"')
 def step(context, filename, data_set_name):
     context.data_set = data_set_name.replace('/', '')
@@ -114,3 +130,9 @@ def _make_headers_from_context(context):
     if context and 'bearer_token' in context:
         return [('Authorization', "Bearer %s" % context.bearer_token)]
     return []
+
+
+def _make_malformed_header_from_context(context):
+    if context and 'bearer_token' in context:
+        return [('Orthoriszation', "Bearer %s" % context.bearer_token)]
+    return []
diff --git a/features/write_api/access_control.feature b/features/write_api/access_control.feature
@@ -1,6 +1,6 @@
 @use_write_api_client
 Feature: access_control
-
+    @posting_things
     Scenario: unauthorized when posting with an incorrect token
         Given I have JSON data '[]'
           and I have a data_set named "some_data_set" with settings
@@ -12,3 +12,16 @@ Feature: access_control
          then I should get back a status of "401"
           and I should get a "WWW-Authenticate" header of "bearer"
           and I should get back the message "Unauthorized: Invalid bearer token "invalid-bearer-token""
+
+    @posting_things
+    Scenario: unauthorized when posting with a badly formed authorization header
+      Given I have JSON data '[]'
+        and I have a data_set named "some_data_set" with settings
+          | key        | value   |
+          | data_group | "group" |
+          | data_type  | "type"  |
+        and I use the bearer token for the data_set
+       when I POST to "/data/group/type" with a malformed authorization header
+       then I should get back a status of "401"
+        and I should get a "WWW-Authenticate" header of "bearer"
+        and I should get back the message "Expected header of form: Authorization: Bearer <token>"