Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Throw "401 Unauthenticated" when authentication is provided but invalid #26572

Merged
merged 3 commits into from
Apr 27, 2021
Merged

Throw "401 Unauthenticated" when authentication is provided but invalid #26572

merged 3 commits into from
Apr 27, 2021

Conversation

nickvergessen
Copy link
Member

E.g. with an AppToken that has been revoked

@nickvergessen nickvergessen added this to the Nextcloud 22 milestone Apr 15, 2021
LukasReschke
LukasReschke approved these changes Apr 15, 2021
View reviewed changes
Copy link
Member

@LukasReschke LukasReschke left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable to me. Let's see what tests etc say :)

For master only - right?

@nickvergessen
Copy link
Member Author

Well the older the better so talk clients get a proper 401 instead of a 404 room not found when the token was revoked, but yeah master only for now

@nickvergessen
Throw "401 Unauthenticated" when authentication is provided but invalid
521bb30 
E.g. with an AppToken that has been revoked

Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen
Fix Authentication test
4ed296d 
Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen nickvergessen force-pushed the bugfix/noid/throw-401-when-authentication-is-provided-and-invalid branch from 82c2e8f to 4ed296d Compare April 22, 2021 13:36
@nickvergessen
Adjust integration test
83e10b7 
Signed-off-by: Joas Schilling <coding@schilljs.com>
@nickvergessen nickvergessen merged commit c52a026 into master Apr 27, 2021
@nickvergessen nickvergessen deleted the bugfix/noid/throw-401-when-authentication-is-provided-and-invalid branch April 27, 2021 12:37
@nickvergessen nickvergessen mentioned this pull request Apr 30, 2021
Merged
@korelstar
Copy link
Member

Hey @nickvergessen @LukasReschke @ChristophWurst , this is a critical change: due to this PR, my API tests for the notes app are failing!

The notes app provides an API for third-party apps. This is implemented using the OCP\AppFramework\ApiController. I have a test for this API which also tests an unauthorized request to the API.

Before this PR, the API has returned HTTP status code 401. After this PR, the API returns HTTP status code 403. This applies to both scenarios: a) a request without any authentication credentials and b) a request with invalid authentication credentials.

Hence, this PR is a breaking change which definitely should not be backported! Furthermore, I'm unsure if this change was intended. The PR title is about throwing HTTP status code 401. But in fact, HTTP status code 403 is thrown now.

Please give an advise if this change will be kept up, since I would have to inform the developers of third-party apps then. This should be also added to the pinned issue regarding critical changes.

@nickvergessen
Copy link
Member Author

Just for the record, discussing this currently in the community chat.

Talk also had failing integration tests, because it was using a user which didn't exist: nextcloud/spreed#5542

@korelstar
Copy link
Member

@nickvergessen

As requested in the chat, here is my test:

https://github.com/nextcloud/notes/blob/master/tests/api/CommonAPITest.php#L257-L261

Example run (failed):
https://github.com/nextcloud/notes/runs/2472476523
from GitHub Workflow:
https://github.com/nextcloud/notes/blob/master/.github/workflows/test.yml

Here is the ApiController which is tested: https://github.com/nextcloud/notes/blob/master/lib/Controller/NotesApiController.php

Thanks for having a look!

This was referenced Apr 30, 2021
Merged
Closed
@nickvergessen
Copy link
Member Author

Follow up in #26846

This was referenced Apr 30, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@LukasReschke LukasReschke LukasReschke approved these changes

@rullzer rullzer Awaiting requested review from rullzer

Assignees
No one assigned
Labels
3. to review Waiting for reviews bug feature: authentication security
Projects
None yet
Milestone
Nextcloud 22
Development

Successfully merging this pull request may close these issues.
10 participants
@nickvergessen @korelstar @LukasReschke @ChristophWurst @stonerl @cjhille @ohdearaugustin @EdGeraghty @sephentos @TobjasR