Merge pull request #509 from akatsoulas/error-response-handling

fix: token error response handling
mozilla · Dec 27, 2023 · 74693ba · 74693ba
2 parents 89637ce + 48f8ece
commit 74693ba
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 27 deletions.
diff --git a/mozilla_django_oidc/auth.py b/mozilla_django_oidc/auth.py
@@ -15,6 +15,7 @@
 from josepy.jwk import JWK
 from josepy.jws import JWS, Header
 from requests.auth import HTTPBasicAuth
+from requests.exceptions import HTTPError
 
 from mozilla_django_oidc.utils import absolutify, import_from_settings
 
@@ -243,9 +244,24 @@ def get_token(self, payload):
             timeout=self.get_settings("OIDC_TIMEOUT", None),
             proxies=self.get_settings("OIDC_PROXY", None),
         )
-        response.raise_for_status()
+        self.raise_token_response_error(response)
         return response.json()
 
+    def raise_token_response_error(self, response):
+        """Raises :class:`HTTPError`, if one occurred.
+        as per: https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+        """
+        # if there wasn't an error all is good
+        if response.status_code == 200:
+            return
+        # otherwise something is up...
+        http_error_msg = (
+            f"Get Token Error (url: {response.url}, "
+            f"status: {response.status_code}, "
+            f"body: {response.text})"
+        )
+        raise HTTPError(http_error_msg, response=response)
+
     def get_userinfo(self, access_token, id_token, payload):
         """Return user details dictionary. The id_token and payload are not used in
         the default implementation, but may be used when overriding this method"""

diff --git a/tests/test_auth.py b/tests/test_auth.py
@@ -3,19 +3,14 @@
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes, hmac
-from josepy.b64 import b64encode
-
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.core.exceptions import SuspiciousOperation
 from django.test import RequestFactory, TestCase, override_settings
 from django.utils.encoding import force_bytes, smart_str
+from josepy.b64 import b64encode
 
-from mozilla_django_oidc.auth import (
-    default_username_algo,
-    OIDCAuthenticationBackend,
-)
-
+from mozilla_django_oidc.auth import OIDCAuthenticationBackend, default_username_algo
 
 User = get_user_model()
 
@@ -61,7 +56,7 @@ def test_invalid_token(self, request_mock, token_mock):
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "accesss_token": "access_token",
@@ -239,7 +234,7 @@ def test_successful_authentication_existing_user_namespaced(
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "access_token": "access_granted",
@@ -288,7 +283,7 @@ def test_successful_authentication_existing_user(self, token_mock, request_mock)
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "access_token": "access_granted",
@@ -341,7 +336,7 @@ def test_successful_authentication_existing_user_upper_case(
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "access_token": "access_granted",
@@ -394,7 +389,7 @@ def test_failed_authentication_verify_claims(
         claims_response = {"nickname": "a_username", "email": "email@example.com"}
         get_json_mock.json.return_value = claims_response
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "access_token": "access_granted",
@@ -445,7 +440,7 @@ def test_successful_authentication_new_user(
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "access_token": "access_granted",
@@ -505,7 +500,7 @@ def test_successful_authentication_basic_auth_token(self, token_mock, request_mo
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "access_token": "access_granted",
@@ -576,7 +571,7 @@ def test_jwt_decode_params(self, request_mock, jws_mock):
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "token",
             "access_token": "access_token",
@@ -602,7 +597,7 @@ def test_jwt_decode_params_verify_false(self, request_mock, jws_mock):
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "token",
             "access_token": "access_token",
@@ -642,7 +637,7 @@ def test_create_user_disabled(self, request_mock, jws_mock):
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "access_token": "access_granted",
@@ -666,7 +661,7 @@ def test_create_user_enabled(self, request_mock, jws_mock):
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "access_token": "access_granted",
@@ -695,7 +690,7 @@ def test_custom_username_algo(self, request_mock, jws_mock, algo_mock):
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "access_token": "access_granted",
@@ -725,7 +720,7 @@ def test_custom_username_algo_dotted_path(self, request_mock, jws_mock):
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "access_token": "access_granted",
@@ -757,7 +752,7 @@ def test_dotted_username_algo_callback_with_claims(self, request_mock, jws_mock)
             "domain": domain,
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "access_token": "access_granted",
@@ -785,7 +780,7 @@ def test_duplicate_emails_exact(self, request_mock, jws_mock):
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "access_token": "access_granted",
@@ -810,7 +805,7 @@ def test_duplicate_emails_case_mismatch(self, request_mock, jws_mock):
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "access_token": "access_granted",
@@ -844,7 +839,7 @@ def update_user(user, claims):
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "id_token",
             "access_token": "access_granted",
@@ -882,7 +877,7 @@ def test_jwt_verify_sign_key(self, request_mock, jws_mock):
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "token",
             "access_token": "access_token",
@@ -931,7 +926,7 @@ def test_jwt_verify_sign_key_calls(self, request_mock, jwk_mock, jws_mock):
             "email": "email@example.com",
         }
         request_mock.get.return_value = get_json_mock
-        post_json_mock = Mock()
+        post_json_mock = Mock(status_code=200)
         post_json_mock.json.return_value = {
             "id_token": "token",
             "access_token": "access_token",