Possible security issue with ACL clone API

[gmr]

If ACLs are enabled and an access token is not specified for the request and you make a PUT request to clone an ACL id, instead of getting a 403, Consul will first check to see if the ACL token exists and return a 404 if not.

I would expect that the security would be checked first as it is done with create or destroy.

For example, trying to destroy an invalid token:

"PUT /v1/acl/destroy/b9e6b84d HTTP/1.1" 403 17

But trying to clone an invalid token:

"PUT /v1/acl/clone/6e2acf0c HTTP/1.1" 404 20

An attacker could then try and brute force finding of an access token by issuing the clone request and logging all forbidden responses. Since ACL list provides a 403 error when you are not authorized, I believe the intent is to prevent the token list from being discovered.

This was tested against v0.5.2

[ryanuber]

Definitely agreed - we should hide token existence from prying eyes. Thanks @gmr!