Unauthorized keys return 401 #3135
Conversation
michel-laterman
added
enhancement
| @@ -167,7 +167,7 @@ func NewHTTPErrResp(err error) HTTPErrResp { | |||
| { | |||
| ErrAgentIdentity, | |||
| HTTPErrResp{ | |||
| http.StatusBadRequest, | |||
| http.StatusForbidden, | |||
There was a problem hiding this comment.
I'm pretty sure I changed all the relevant auth errors to return a 401 here.
However I think it makes sense to use a 403 instead of a 401 in this case where the API key does not match the requested agent. I've altered the openapi spec to include it as a return for the relevant endpoints
cc @joshdover
There was a problem hiding this comment.
Makes sense to me.
So IIUC if the key doesn't match it will be a 403 everything else will be 401.
If the key is not found, shouldn't we also return a 403 instead of a 401?
There was a problem hiding this comment.
If the key is not found, shouldn't we also return a
403instead of a401?
This would be an unauthorized case, right? So 401 would be fine.
| @@ -167,7 +167,7 @@ func NewHTTPErrResp(err error) HTTPErrResp { | |||
| { | |||
| ErrAgentIdentity, | |||
| HTTPErrResp{ | |||
| http.StatusBadRequest, | |||
| http.StatusForbidden, | |||
There was a problem hiding this comment.
If the key is not found, shouldn't we also return a
403instead of a401?
This would be an unauthorized case, right? So 401 would be fine.
Co-authored-by: Jaime Soriano Pastor <[email protected]>
|
I don't think so, the |
|
SonarQube Quality Gate
|
What is the problem this PR solves?
Any issues with the API key result in a 400 status code
How does this PR solve the problem?
Issues with API keys will result in a 401, or a 403 if the key does not match the agent.
Checklist
I have commented my code, particularly in hard-to-understand areasI have made corresponding change to the default configuration files./changelog/fragmentsusing the changelog toolRelated issues