diff options
| author | Claude Sonnet 4.6 | 2026-06-15 17:38:00 +0000 |
|---|---|---|
| committer | Frederick Muriuki Muriithi | 2026-06-15 12:59:53 -0500 |
| commit | 4265f8d9d788f3403160a0e270a5f6bc8ed61076 (patch) | |
| tree | e9ece3f6956040d8e1eef49af1cf3ceae3a53c26 /tests/test_gn_auth_auth_flow.py | |
| parent | 3ac89fabe4070b4c1343f93f4e2bca9d0e612cbc (diff) | |
| download | gn-integration-tests-4265f8d9d788f3403160a0e270a5f6bc8ed61076.tar.gz | |
tests: add TestTokenGrantRejection auth-flow tests
Test that POST /auth/token returns 401 when given a wrong password or an unknown email address.
Diffstat (limited to 'tests/test_gn_auth_auth_flow.py')
| -rw-r--r-- | tests/test_gn_auth_auth_flow.py | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/tests/test_gn_auth_auth_flow.py b/tests/test_gn_auth_auth_flow.py index ab26f10..6019443 100644 --- a/tests/test_gn_auth_auth_flow.py +++ b/tests/test_gn_auth_auth_flow.py @@ -77,3 +77,49 @@ class TestTokenGrant: assert requested <= granted, ( f"Requested scopes {requested} not all in granted scopes {granted}" ) + + +# --------------------------------------------------------------------------- +# POST /auth/token — rejected credentials +# --------------------------------------------------------------------------- + +class TestTokenGrantRejection: + """Password grant with bad credentials must return 401.""" + + def test_wrong_password_returns_401( + self, gn_auth_url, http, oauth2_credentials): + email, _password, client_id, client_secret = oauth2_credentials + resp = http.post( + f"{gn_auth_url}/auth/token", + json={ + "grant_type": "password", + "username": email, + "password": "definitely-not-the-right-password", + "scope": "profile group resource", + "client_id": client_id, + "client_secret": client_secret, + }, + timeout=30, + ) + assert resp.status_code == 401, ( + f"Expected 401 for wrong password, got {resp.status_code}: {resp.text}" + ) + + def test_unknown_email_returns_401( + self, gn_auth_url, http, oauth2_credentials): + _email, password, client_id, client_secret = oauth2_credentials + resp = http.post( + f"{gn_auth_url}/auth/token", + json={ + "grant_type": "password", + "username": "no-such-user@regression-tests.genenetwork.org", + "password": password, + "scope": "profile group resource", + "client_id": client_id, + "client_secret": client_secret, + }, + timeout=30, + ) + assert resp.status_code == 401, ( + f"Expected 401 for unknown email, got {resp.status_code}: {resp.text}" + ) |