Throw "401 Unauthenticated" when authentication is provided but invalid#26572
Conversation
nickvergessen
added
bug
3. to review
|
Well the older the better so talk clients get a proper 401 instead of a 404 room not found when the token was revoked, but yeah master only for now |
E.g. with an AppToken that has been revoked Signed-off-by: Joas Schilling <[email protected]>
Signed-off-by: Joas Schilling <[email protected]>
nickvergessen
force-pushed
the
bugfix/noid/throw-401-when-authentication-is-provided-and-invalid
branch
from
82c2e8f to
4ed296d
Compare
Signed-off-by: Joas Schilling <[email protected]>
nickvergessen
deleted the
bugfix/noid/throw-401-when-authentication-is-provided-and-invalid
branch
|
Hey @nickvergessen @LukasReschke @ChristophWurst , this is a critical change: due to this PR, my API tests for the notes app are failing! The notes app provides an API for third-party apps. This is implemented using the Before this PR, the API has returned HTTP status code 401. After this PR, the API returns HTTP status code 403. This applies to both scenarios: a) a request without any authentication credentials and b) a request with invalid authentication credentials. Hence, this PR is a breaking change which definitely should not be backported! Furthermore, I'm unsure if this change was intended. The PR title is about throwing HTTP status code 401. But in fact, HTTP status code 403 is thrown now. Please give an advise if this change will be kept up, since I would have to inform the developers of third-party apps then. This should be also added to the pinned issue regarding critical changes. |
|
Just for the record, discussing this currently in the community chat. Talk also had failing integration tests, because it was using a user which didn't exist: nextcloud/spreed#5542 |
|
As requested in the chat, here is my test: Example run (failed): Here is the Thanks for having a look! |
|
Follow up in #26846 |
10 participants
E.g. with an AppToken that has been revoked