diff options
| -rw-r--r-- | tests/test_gn_auth_auth_flow.py | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/tests/test_gn_auth_auth_flow.py b/tests/test_gn_auth_auth_flow.py index ab26f10..6019443 100644 --- a/tests/test_gn_auth_auth_flow.py +++ b/tests/test_gn_auth_auth_flow.py @@ -77,3 +77,49 @@ class TestTokenGrant: assert requested <= granted, ( f"Requested scopes {requested} not all in granted scopes {granted}" ) + + +# --------------------------------------------------------------------------- +# POST /auth/token — rejected credentials +# --------------------------------------------------------------------------- + +class TestTokenGrantRejection: + """Password grant with bad credentials must return 401.""" + + def test_wrong_password_returns_401( + self, gn_auth_url, http, oauth2_credentials): + email, _password, client_id, client_secret = oauth2_credentials + resp = http.post( + f"{gn_auth_url}/auth/token", + json={ + "grant_type": "password", + "username": email, + "password": "definitely-not-the-right-password", + "scope": "profile group resource", + "client_id": client_id, + "client_secret": client_secret, + }, + timeout=30, + ) + assert resp.status_code == 401, ( + f"Expected 401 for wrong password, got {resp.status_code}: {resp.text}" + ) + + def test_unknown_email_returns_401( + self, gn_auth_url, http, oauth2_credentials): + _email, password, client_id, client_secret = oauth2_credentials + resp = http.post( + f"{gn_auth_url}/auth/token", + json={ + "grant_type": "password", + "username": "no-such-user@regression-tests.genenetwork.org", + "password": password, + "scope": "profile group resource", + "client_id": client_id, + "client_secret": client_secret, + }, + timeout=30, + ) + assert resp.status_code == 401, ( + f"Expected 401 for unknown email, got {resp.status_code}: {resp.text}" + ) |