Change response from 400 Bad Request to 403 Forbidden if accessKey/se…

…ssionToken have bad format

src/main/scala/com/ing/wbaa/rokku/sts/api/UserApi.scala

@@ -26,8 +26,13 @@ trait UserApi extends JwtToken {
   implicit val userGroup: RootJsonFormat[UserGroup] = jsonFormat(UserGroup, "value")
   implicit val userInfoJsonFormat: RootJsonFormat[UserInfoToReturn] = jsonFormat5(UserInfoToReturn)
 
-  def containsOnlyAlphanumeric(value: String): Boolean = {
-    value.matches("""^[\w\d]*$""")
+  def containsOnlyAlphanumeric(value: String, errorMessage: String)(inner: Route)(implicit id: RequestId): Route = {
+    if (value.matches("""^[\w\d]*$""")) {
+      inner
+    } else {
+      logger.warn(errorMessage)
+      complete(StatusCodes.Forbidden, errorMessage)
+    }
   }
 
   def isCredentialActive: Route = logRequestResult("debug") {
@@ -42,8 +47,8 @@ trait UserApi extends JwtToken {
 
             verifyInternalToken(bearerToken) {
               parameters("accessKey", "sessionToken".?) { (accessKey, sessionToken) =>
-                validate(containsOnlyAlphanumeric(accessKey), s"bad accessKey format=$accessKey") {
-                  validate(containsOnlyAlphanumeric(sessionToken getOrElse ""), s"bad sessionToken format=${sessionToken.get}") {
+                containsOnlyAlphanumeric(accessKey, s"bad accessKey format=$accessKey") {
+                  containsOnlyAlphanumeric(sessionToken getOrElse "", s"bad sessionToken format=${sessionToken.get}") {
 
                     onSuccess(isCredentialActive(AwsAccessKey(accessKey), sessionToken.map(AwsSessionToken))) {
                       case Some(userInfo) =>

src/test/scala/com/ing/wbaa/rokku/sts/api/UserApiTest.scala

@@ -3,7 +3,7 @@ package com.ing.wbaa.rokku.sts.api
 import akka.actor.ActorSystem
 import akka.http.scaladsl.model.StatusCodes
 import akka.http.scaladsl.model.headers.RawHeader
-import akka.http.scaladsl.server.{ MissingHeaderRejection, MalformedHeaderRejection, AuthorizationFailedRejection, MissingQueryParamRejection, ValidationRejection, Route }
+import akka.http.scaladsl.server.{ MissingHeaderRejection, MalformedHeaderRejection, AuthorizationFailedRejection, MissingQueryParamRejection, Route }
 import akka.http.scaladsl.testkit.ScalatestRouteTest
 import com.auth0.jwt.JWT
 import com.auth0.jwt.algorithms.Algorithm
@@ -102,22 +102,14 @@ class UserApiTest extends AnyWordSpec
       "check credential and return status bad request because the accessKey contains non-alphanumeric characters" in {
         Get(s"/isCredentialActive?accessKey=access-key!with@special*characters&sessionToken=session")
           .addHeader(RawHeader("Authorization", generateBearerToken())) ~> testRoute ~> check {
-            assert(rejection == ValidationRejection("bad accessKey format=access-key!with@special*characters"))
-          }
-        Get(s"/isCredentialActive?accessKey=access-key!with@special*characters&sessionToken=session")
-          .addHeader(RawHeader("Authorization", generateBearerToken())) ~> Route.seal(testRoute) ~> check {
-            assert(status == StatusCodes.BadRequest)
+            assert(status == StatusCodes.Forbidden)
           }
       }
 
       "check credential and return status bad request because the sessionToken contains non-alphanumeric characters" in {
         Get(s"/isCredentialActive?accessKey=access&sessionToken=session!with@special*characters")
           .addHeader(RawHeader("Authorization", generateBearerToken())) ~> testRoute ~> check {
-            assert(rejection == ValidationRejection("bad sessionToken format=session!with@special*characters"))
-          }
-        Get(s"/isCredentialActive?accessKey=access&sessionToken=session!with@special*characters")
-          .addHeader(RawHeader("Authorization", generateBearerToken())) ~> Route.seal(testRoute) ~> check {
-            assert(status == StatusCodes.BadRequest)
+            assert(status == StatusCodes.Forbidden)
           }
       }