Update tests for non-string service ID in auth layer

quis · quis · commit 1965c7b80b06 · 2026-02-26T18:19:28.000Z
Newer versions of PyJWT won’t let us created a token with a non-string
ISS field. To ensure we still handle the case where we receive such a
token, this adds an extra test that uses mocking to return the non-string
value to our auth checking.
diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py
@@ -4,6 +4,7 @@
 import jwt
 import pytest
 from flask import g, request
+from jwt.exceptions import InvalidIssuerError, MissingRequiredClaimError
 from notifications_python_client.authentication import create_jwt_token
 
 from app import db
@@ -231,10 +232,9 @@ def test_decode_jwt_token_returns_error_with_no_secrets(client):
     assert exc.value.short_message == "Invalid token: API key not found"
 
 
-@pytest.mark.parametrize("service_id", ["not-a-valid-id", 1234])
-def test_requires_auth_should_not_allow_service_id_with_the_wrong_data_type(client, service_jwt_secret, service_id):
+def test_requires_auth_should_not_allow_service_id_which_is_not_uuid_string(client, service_jwt_secret):
     token = create_jwt_token(
-        client_id=service_id,
+        client_id="not-a-valid-id",
         secret=service_jwt_secret,
     )
 
@@ -244,6 +244,30 @@ def test_requires_auth_should_not_allow_service_id_with_the_wrong_data_type(clie
     assert exc.value.short_message == "Invalid token: service id is not the right data type"
 
 
+@pytest.mark.parametrize(
+    "exception",
+    (
+        # Possible exceptions which could be raised here:
+        # https://github.com/jpadilla/pyjwt/blob/b85050f1d444c6828bb4618ee764443b0a3f5d18/jwt/api_jwt.py#L560-L583
+        MissingRequiredClaimError,
+        InvalidIssuerError,
+    ),
+)
+def test_requires_auth_should_not_allow_non_string_service_id(client, sample_api_key, exception, mocker):
+    mocker.patch("notifications_python_client.authentication.decode_token", raises=exception)
+    token = create_jwt_token(
+        secret=str(sample_api_key.id),
+        client_id=str(sample_api_key.service_id),  # Our code never see this value
+    )
+
+    request.headers = {"Authorization": f"Bearer {token}"}
+    with pytest.raises(AuthError) as exc:
+        requires_auth()
+
+    # This is not a very helpful error message but the user would be having to try something weird to get here
+    assert exc.value.short_message == "Invalid token: iss field not provided"
+
+
 def test_requires_auth_returns_error_when_service_doesnt_exist(client, sample_api_key):
     # get service ID and secret the wrong way around
     token = create_jwt_token(
