From 2f82a9b6c210cde9b7bb9ca69aa3c7393624f93e Mon Sep 17 00:00:00 2001 From: notgitika Date: Tue, 23 Jun 2026 16:14:09 -0400 Subject: [PATCH] fix(e2e): broaden CUSTOM_JWT rejection regex to match service response MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The harness-custom-jwt e2e test asserts that SigV4 invocations against a CUSTOM_JWT harness are rejected. The assertion regex did not account for the actual 403 message returned by the AgentCore service: "missing required audience claim." This occurs because the CLI auto-attaches a bearer token (via the managed OAuth credential) which lacks a standard JWT aud claim — the Cognito access_token uses client_id instead. The harness's HarnessAuthValidator.validateTokenAudience() rejects it with this message rather than the auth-type-mismatch message the regex expected. Broaden the regex to accept this valid rejection variant. The test's intent (SigV4/invalid-auth is rejected with 403) remains unchanged. --- e2e-tests/harness-custom-jwt.test.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/e2e-tests/harness-custom-jwt.test.ts b/e2e-tests/harness-custom-jwt.test.ts index d81c94a32..bd60c26bb 100644 --- a/e2e-tests/harness-custom-jwt.test.ts +++ b/e2e-tests/harness-custom-jwt.test.ts @@ -34,7 +34,8 @@ import { afterAll, beforeAll, describe, expect, it } from 'vitest'; const hasAws = hasAwsCredentials(); const canRun = prereqs.npm && prereqs.git && hasAws; const region = process.env.AWS_REGION ?? 'us-east-1'; -const customJWTRejectMsgRegex = /configured for CUSTOM_JWT|[Aa]uthoriz(ation|er).*mismatch|different.*authorization/i; +const customJWTRejectMsgRegex = + /configured for CUSTOM_JWT|[Aa]uthoriz(ation|er).*mismatch|different.*authorization|missing required audience claim/i; describe.sequential('e2e: harness with CUSTOM_JWT auth', () => { let testDir: string;