CognitoIDP - Handle login with unknown refresh-token gracefully (#5475)

2022-09-15 22:50:02 +00:00 · 2022-09-15 22:50:02 +00:00 · 837ad2cbb7
commit 837ad2cbb7
parent b07227b780
2 changed files with 50 additions and 0 deletions
--- a/moto/cognitoidp/models.py
+++ b/moto/cognitoidp/models.py
@ -579,6 +579,8 @@ class CognitoIdpUserPool(BaseModel):
        return access_token, expires_in
    def create_tokens_from_refresh_token(self, refresh_token):
        if self.refresh_tokens.get(refresh_token) is None:
            raise NotAuthorizedError(refresh_token)
        client_id, username = self.refresh_tokens.get(refresh_token)
        if not username:
            raise NotAuthorizedError(refresh_token)
--- a/tests/test_cognitoidp/test_cognitoidp_exceptions.py
+++ b/tests/test_cognitoidp/test_cognitoidp_exceptions.py
@ -0,0 +1,48 @@
 from unittest import TestCase
 import boto3
 from moto import mock_cognitoidp
 from botocore.exceptions import ClientError
@mock_cognitoidp
 class TestCognitoUserDeleter(TestCase):
    def setUp(self) -> None:
        self.client = boto3.client("cognito-idp", "us-east-1")
        self.pool_id = self.client.create_user_pool(PoolName="test")["UserPool"]["Id"]
        self.client_id = self.client.create_user_pool_client(
            UserPoolId=self.pool_id, ClientName="test-client"
        )["UserPoolClient"]["ClientId"]
    def test_authenticate_with_signed_out_user(self):
        self.client.admin_create_user(
            UserPoolId=self.pool_id, Username="foo", TemporaryPassword="bar"
        )
        self.client.admin_set_user_password(
            UserPoolId=self.pool_id, Username="foo", Password="bar", Permanent=True
        )
        response = self.client.admin_initiate_auth(
            UserPoolId=self.pool_id,
            ClientId=self.client_id,
            AuthFlow="ADMIN_USER_PASSWORD_AUTH",
            AuthParameters={"USERNAME": "foo", "PASSWORD": "bar"},
        )
        refresh_token = response["AuthenticationResult"]["RefreshToken"]
        self.client.admin_user_global_sign_out(UserPoolId=self.pool_id, Username="foo")
        with self.assertRaises(ClientError) as exc:
            self.client.admin_initiate_auth(
                UserPoolId=self.pool_id,
                ClientId=self.client_id,
                AuthFlow="REFRESH_TOKEN",
                AuthParameters={
                    "REFRESH_TOKEN": refresh_token,
                },
            )
        exc.exception.response["Error"]["Code"].should.equal("NotAuthorizedException")