tests: add TestTokenGrantRejection auth-flow tests

Test that POST /auth/token returns 401 when given a wrong password or
an unknown email address.

1 files changed, 46 insertions, 0 deletions

diff --git a/tests/test_gn_auth_auth_flow.py b/tests/test_gn_auth_auth_flow.py
index ab26f10..6019443 100644
--- a/tests/test_gn_auth_auth_flow.py
+++ b/tests/test_gn_auth_auth_flow.py
@@ -77,3 +77,49 @@ class TestTokenGrant:
         assert requested <= granted, (
             f"Requested scopes {requested} not all in granted scopes {granted}"
         )
+
+
+# ---------------------------------------------------------------------------
+# POST /auth/token — rejected credentials
+# ---------------------------------------------------------------------------
+
+class TestTokenGrantRejection:
+    """Password grant with bad credentials must return 401."""
+
+    def test_wrong_password_returns_401(
+            self, gn_auth_url, http, oauth2_credentials):
+        email, _password, client_id, client_secret = oauth2_credentials
+        resp = http.post(
+            f"{gn_auth_url}/auth/token",
+            json={
+                "grant_type": "password",
+                "username": email,
+                "password": "definitely-not-the-right-password",
+                "scope": "profile group resource",
+                "client_id": client_id,
+                "client_secret": client_secret,
+            },
+            timeout=30,
+        )
+        assert resp.status_code == 401, (
+            f"Expected 401 for wrong password, got {resp.status_code}: {resp.text}"
+        )
+
+    def test_unknown_email_returns_401(
+            self, gn_auth_url, http, oauth2_credentials):
+        _email, password, client_id, client_secret = oauth2_credentials
+        resp = http.post(
+            f"{gn_auth_url}/auth/token",
+            json={
+                "grant_type": "password",
+                "username": "no-such-user@regression-tests.genenetwork.org",
+                "password": password,
+                "scope": "profile group resource",
+                "client_id": client_id,
+                "client_secret": client_secret,
+            },
+            timeout=30,
+        )
+        assert resp.status_code == 401, (
+            f"Expected 401 for unknown email, got {resp.status_code}: {resp.text}"
+        )