pull master

Author: paulineribeyre

.secrets.baseline

@@ -131,5 +131,5 @@
     }
   ],
   "results": {},
-  "generated_at": "2026-02-27T21:39:45Z"
+  "generated_at": "2026-02-27T23:06:29Z"
 }

gen3workflow/routes/s3.py

@@ -166,10 +166,14 @@ async def s3_endpoint(path: str, request: Request):
     not support S3 endpoints with a path, such as the Minio-go S3 client.
     """
 
-    # because this endpoint is exposed at root, if the GET path is empty, assume the user is not
-    # trying to reach the S3 endpoint and redirect to the status endpoint instead
-    if request.method == "GET" and not path:
-        return await get_status(request)
+    # Because this endpoint is exposed at root, if the GET path is empty, the user may not be
+    # trying to reach the S3 endpoint: suggest using the status endpoint.
+    # "All buckets" listing requests also land here and are not supported, since users can only
+    # access their own bucket.
+    if request.method == "GET" and path in ("", "s3"):
+        err_msg = f"If you are using the S3 endpoint: 's3 ls' not supported, use 's3 ls s3://<your bucket>' instead. If you are trying to reach the Gen3-Workflow API, try '/_status'."
+        logger.error(err_msg)
+        raise HTTPException(HTTP_400_BAD_REQUEST, err_msg)
 
     # Extract the caller's access token from the request headers, and ensure the caller (user, or
     # client acting on behalf of the user) has access to the user's files.

tests/test_s3_endpoint.py

@@ -1,3 +1,4 @@
+import re
 import tempfile
 from unittest.mock import AsyncMock, patch
 
@@ -208,6 +209,21 @@ def test_s3_endpoint_wrong_bucket(s3_client, access_token_patcher, bucket_name):
         s3_client.list_objects(Bucket=bucket_name)
 
 
+@pytest.mark.parametrize("client", [{"get_url": True}], indirect=True)
+def test_s3_endpoint_list_buckets(s3_client):
+    """
+    Listing all the buckets the user can access is not supported, since users can only access
+    their own bucket.
+    """
+    with pytest.raises(
+        ClientError,
+        match=re.escape(
+            "An error occurred (400) when calling the ListBuckets operation: Bad Request"
+        ),
+    ):
+        s3_client.list_buckets()
+
+
 @pytest.mark.asyncio
 @pytest.mark.parametrize("path", ["s3", ""], ids=["s3 path", "root path"])
 async def test_s3_endpoint_with_bearer_token(client, path):
@@ -332,7 +348,7 @@ async def test_set_access_token_and_get_user_id_invalid_auth():
 def test_s3_upload_file(s3_client, access_token_patcher, multipart):
     """
     Test that the boto3 `upload_file` function works with the `/s3` endpoint, both for a small
-    file uploaded in 1 chunk and for a large file uploaded in multiple chunks.
+    file uploaded in 1 part and for a large file uploaded in multiple parts.
     """
     with patch(
         "gen3workflow.aws_utils.get_existing_kms_key_for_bucket",

tests/test_system.py

@@ -2,7 +2,7 @@
 
 
 @pytest.mark.asyncio
-@pytest.mark.parametrize("endpoint", ["/", "/_status", "/_status/"])
+@pytest.mark.parametrize("endpoint", ["/_status", "/_status/"])
 @pytest.mark.parametrize(
     "client",
     [