add scope

id.saladeaula.digital/tests/routes/test_authorize.py

@@ -17,7 +17,7 @@ def test_authorize(
     http_api_proxy: HttpApiProxy,
     lambda_context: LambdaContext,
 ):
-    session_id = new_session(USER_ID)
+    session_id = new_session(USER_ID, 'read:users')
 
     r = app.lambda_handler(
         http_api_proxy(
@@ -27,7 +27,7 @@ def test_authorize(
                 'response_type': 'code',
                 'client_id': CLIENT_ID,
                 'redirect_uri': 'https://localhost/callback',
-                'scope': 'openid offline_access',
+                'scope': 'openid offline_access read:users',
                 'nonce': '123',
                 'state': '456',
             },
@@ -39,7 +39,6 @@ def test_authorize(
     )
 
     assert 'Location' in r['headers']
-    # print(r)
 
     r = dynamodb_persistence_layer.query(
         key_cond_expr='#pk = :pk',
@@ -55,6 +54,37 @@ def test_authorize(
     assert len(r['items']) == 3
 
 
+def test_unauthorized(
+    app,
+    seeds,
+    dynamodb_persistence_layer: DynamoDBPersistenceLayer,
+    http_api_proxy: HttpApiProxy,
+    lambda_context: LambdaContext,
+):
+    session_id = new_session(USER_ID, 'read:users')
+
+    r = app.lambda_handler(
+        http_api_proxy(
+            raw_path='/authorize',
+            method=HTTPMethod.GET,
+            query_string_parameters={
+                'response_type': 'code',
+                'client_id': CLIENT_ID,
+                'redirect_uri': 'https://localhost/callback',
+                'scope': 'openid email offline_access',
+                'nonce': '123',
+                'state': '456',
+            },
+            cookies=[
+                f'session_id={session_id}; HttpOnly; Secure',
+            ],
+        ),
+        lambda_context,
+    )
+
+    assert r['statusCode'] == HTTPStatus.UNAUTHORIZED
+
+
 def test_authorize_revoked(
     app,
     seeds,