diff --git a/moto/cognitoidp/models.py b/moto/cognitoidp/models.py index 6ee71cbc..7078583f 100644 --- a/moto/cognitoidp/models.py +++ b/moto/cognitoidp/models.py @@ -1066,5 +1066,7 @@ def find_region_by_value(key, value): if key == "access_token" and value in user_pool.access_tokens: return region - - return cognitoidp_backends.keys()[0] + # If we can't find the `client_id` or `access_token`, we just pass + # back a default backend region, which will raise the appropriate + # error message (e.g. NotAuthorized or NotFound). + return list(cognitoidp_backends)[0] diff --git a/tests/test_cognitoidp/test_cognitoidp.py b/tests/test_cognitoidp/test_cognitoidp.py index 54ee9528..c61be4aa 100644 --- a/tests/test_cognitoidp/test_cognitoidp.py +++ b/tests/test_cognitoidp/test_cognitoidp.py @@ -1840,6 +1840,31 @@ def test_admin_set_user_password(): result["UserStatus"].should.equal("CONFIRMED") +@mock_cognitoidp +def test_change_password_with_invalid_token_raises_error(): + client = boto3.client("cognito-idp", "us-west-2") + with pytest.raises(ClientError) as ex: + client.change_password( + AccessToken=str(uuid.uuid4()), + PreviousPassword="previous_password", + ProposedPassword="newer_password", + ) + ex.value.response["Error"]["Code"].should.equal("NotAuthorizedException") + + +@mock_cognitoidp +def test_confirm_forgot_password_with_non_existent_client_id_raises_error(): + client = boto3.client("cognito-idp", "us-west-2") + with pytest.raises(ClientError) as ex: + client.confirm_forgot_password( + ClientId="non-existent-client-id", + Username="not-existent-username", + ConfirmationCode=str(uuid.uuid4()), + Password=str(uuid.uuid4()), + ) + ex.value.response["Error"]["Code"].should.equal("ResourceNotFoundException") + + # Test will retrieve public key from cognito.amazonaws.com/.well-known/jwks.json, # which isnt mocked in ServerMode if not settings.TEST_SERVER_MODE: