JWT token authentication: Add sanity checks

amotl · amotl · commit 9c90fdc66b07 · 2026-03-03T10:50:23.000+01:00
diff --git a/src/crate/client/http.py b/src/crate/client/http.py
@@ -190,6 +190,12 @@ def request(
             if length is not None:
                 headers["Content-Length"] = str(length)
 
+        # Sanity checks.
+        if jwt_token is not None and username is not None:
+            raise ValueError(
+                "Either JWT tokens are accepted, or user credentials, but not both"
+            )
+
         # Authentication token
         if jwt_token is not None and "Authorization" not in headers:
             headers["Authorization"] = "Bearer %s" % jwt_token
diff --git a/tests/client/test_http.py b/tests/client/test_http.py
@@ -725,3 +725,15 @@ def test_credentials(serve_http):
             assert conn.client.jwt_token == jwt_token
             conn.client.sql("select 3;")
             assert server.SHARED["jwt_token"] == jwt_token
+
+
+def test_credentials_and_token(serve_http):
+    """
+    Verify exception when user provides both credentials and token.
+    """
+    with serve_http(SharedStateRequestHandler) as (server, url):
+        with pytest.raises(ProgrammingError) as excinfo:
+            connect(url, username="foo", jwt_token="bar")
+        assert excinfo.match(
+            "Either JWT tokens are accepted, or user credentials, but not both"
+        )
