torrust-tracker icon indicating copy to clipboard operation
torrust-tracker copied to clipboard

Published 20 hours ago verified publisher icon torrust

Wrong HTTP response code from API for unauthorized request

Open josecelano opened this issue 2 years ago • 1 comments

Request without token:

$ curl -i http://127.0.0.1:1212/api/torrents
HTTP/1.1 500 Internal Server Error
content-type: text/plain; charset=utf-8
content-length: 51
date: Wed, 10 Aug 2022 08:32:46 GMT

Unhandled rejection: Err { reason: "unauthorized" }

Request with token:

$ curl -i http://127.0.0.1:1212/api/torrents?token=MyAccessToken
HTTP/1.1 200 OK
content-type: application/json
content-length: 2
date: Wed, 10 Aug 2022 08:45:47 GMT

[]

I think the response code should be 401 for this endpoint.

NOTE for other endpoints: if knowing the resource URL implies getting info you should not have, then you should return 404 instead of 403 (Insecure Direct Object References (IDOR)).

Links

  1. https://auth0.com/blog/forbidden-unauthorized-http-status-codes/
  2. https://enterprisecraftsmanship.com/posts/rest-api-response-codes-400-vs-500/

josecelano avatar Aug 10 '22 08:08 josecelano

I think you're right, this should be returning a 401.

mickvandijke avatar Aug 10 '22 11:08 mickvandijke

Relates to https://github.com/torrust/torrust-tracker/issues/144

josecelano avatar Mar 13 '23 17:03 josecelano

I'm closing this issue as we should include this task in a comprehensive contract for the API v2.

josecelano avatar Mar 16 '23 08:03 josecelano