node-oauth2-server icon indicating copy to clipboard operation
node-oauth2-server copied to clipboard

Published 20 hours ago • verified publisher icon node-oauth

Replace UnauthorizedRequestError with InvalidRequestError

Open Uzlopak opened this issue 4 years ago • 6 comments

The UnauthorizedRequestError is not a standard error code. According to the reference in the comment https://datatracker.ietf.org/doc/html/rfc6750#section-3.1 there is no unauthorized_request error.

UnauthorizedRequestError is used in the AuthenticateHandler for indicating that there was no token in body and header. According to the Spec it should be an InvalidRequestError, as the token is clearly a missing parameter.

The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed. The resource server SHOULD respond with the HTTP 400 (Bad Request) status code.

Uzlopak avatar Nov 15 '21 18:11 Uzlopak

Thus, the correct ErrorCode for missing token is 400 and not 401

Uzlopak avatar Nov 15 '21 18:11 Uzlopak

Hm but there is also

invalid_token The access token provided is expired, revoked, malformed, or invalid for other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized) status code. The client MAY request a new access token and retry the protected resource request.

I think the part invalid for other reason is interpreted as "missing". However, I agree that simply missing the token is rather a bad request than the token being invalid. Especially from a machine-perspective the distinciton has to be precise. A token that does not exist cannot be valid or invalid.

Is there any discussion on this in the original repo? This would be a breaking change, right?

Also we need to identify the places in the code and tests to be updated accordingly.

// cc @jwerre @HappyZombies

jankapunkt avatar Nov 16 '21 09:11 jankapunkt

Good argument, but also this would mean, that we would not need that UnauthorizedRequestError but invalid_token with 401.

Uzlopak avatar Nov 16 '21 11:11 Uzlopak

Both are good points. Just out of curiosity I've hit a couple of well know APIs without an access token:

curl -I https://api.github.com/user
HTTP/2 401

curl -I https://api.stripe.com/v1/charges
HTTP/2 401
www-authenticate: Basic realm="Stripe"

curl -I https://api.twilio.com/2010-04-01/Accounts
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Twilio API"

jwerre avatar Nov 16 '21 12:11 jwerre

I tested the three above mentioned resource servers and only stripe made a RFC6750 conform response.

Return Value of the resource server is:

{
  "error": {
    "message": "You did not provide an API key. You need to provide your API key in the Authorization header, using Bearer auth (e.g. 'Authorization: Bearer YOUR_SECRET_KEY'). See https://stripe.com/docs/api#authentication for details, or we can help at https://support.stripe.com/.",
    "type": "invalid_request_error"
  }
}

InvalidRequestError ^^

Uzlopak avatar Nov 16 '21 13:11 Uzlopak

So it should be 401:invalid_request_error. Do you concur @jankapunkt @HappyZombies ?

jwerre avatar Nov 16 '21 15:11 jwerre