Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return status code 401 for invalid tokens in API requests #19813

Merged
merged 28 commits into from Feb 3, 2023
Merged

Return status code 401 for invalid tokens in API requests #19813

merged 28 commits into from Feb 3, 2023

Conversation

peterhashair
Copy link
Contributor

@peterhashair peterhashair commented Oct 4, 2022
edited

Description:

Fixes: #18055

update the status code to 401 when an invalid token in API

Review

send respond 401 when invalid token provide
890fa05 
send respond 401 when invalid token provide
@peterhashair peterhashair changed the base branch from 4.x-dev to 5.x-dev October 5, 2022 08:19
Peter added 3 commits October 6, 2022 13:51
update status code
6ebea2c 
update status code
Merge branch '5.x-dev' into m18055
f69dda4 
# Conflicts:
#	CHANGELOG.md
update status code
bf7e830 
update status code
@peterhashair
Copy link
Contributor Author

peterhashair commented Oct 7, 2022
edited

Maybe the CHANGELOG wording needs an update.

@peterhashair peterhashair added this to the 5.0.0 milestone Oct 7, 2022
@peterhashair peterhashair added Needs Review PRs that need a code review and removed Needs Review PRs that need a code review labels Oct 7, 2022
@peterhashair peterhashair linked an issue Oct 13, 2022 that may be closed by this pull request
Request with invalid token_auth responds 200 OK #18055
Closed
Peter added 4 commits October 14, 2022 12:16
add tests
55320ab 
add tests
fix phpcs
4f0d19d 
fix phpcs
revert code format changes
86b4a22 
revert code format changes
add status code test on token invalid
1dfdab4 
add status code test on token invalid
@peterhashair
Copy link
Contributor Author

Maybe we don't need this change.

   if ($referrer && $matomoUrl && Url::isValidHost(Url::getHostFromUrl($referrer)) &&
                strpos($referrer, $matomoUrl) === 0
            ) {
                Common::sendResponseCode(440);

@peterhashair peterhashair added the Needs Review PRs that need a code review label Oct 19, 2022
@github-actions
Copy link
Contributor

This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers

@github-actions github-actions bot added the Stale The label used by the Close Stale Issues action label Oct 26, 2022
@peterhashair peterhashair removed the Stale The label used by the Close Stale Issues action label Oct 26, 2022
sgiehl
sgiehl requested changes Oct 28, 2022
View reviewed changes
Copy link
Member

@sgiehl sgiehl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe better give this one a new try. It can't / doesn't work the way it's implemented.

  • On the login page, the CSS fails to load, as it results in a 401 response
  • The 440 response code is actually a special IIS code, not sure if we should use it, as no one might expect it
  • Currently any method using one of the Access::check* methods might end up in a 401 response, which also affects the UI and not only API
  • You should not adjust the response code in Access class, as you can't know if exceptions thrown there, are not caught and ignored.

@sgiehl sgiehl removed the Needs Review PRs that need a code review label Oct 28, 2022
Peter added 2 commits November 1, 2022 10:08
revert access change Api responseBuillder
90f6c53 
revert access change Api responseBuillder
update tests
6f58ad4 
update tests
@peterhashair
Copy link
Contributor Author

@sgiehl yeah, removed from access.php. I tried another place that only affects API. I don't believe this is a perfect way, any suggestions?

@sgiehl
Copy link
Member

sgiehl commented Nov 2, 2022

Checking the trace for a certain method doesn't seem to be something we should consider doing. Isn't the method throwing a certain exception that can be checked for?

In general I guess my approach would have been to convert HttpCodeException to an interface, and let the NoAccessException implement it, so we can simply use the http code check that already exists.

@peterhashair
Copy link
Contributor Author

peterhashair commented Nov 3, 2022
edited

@sgiehl it seems like the HttpCodeException used a couple of places, convert to an interface maybe broken some other code. I saw we have used HttpCodeExceptionin a way below, could we NoAccessException extend HttpCodeException but has 401 in the __construct, like the current PR, will that cause any regression?

matomo/core/Http/BadRequestException.php

Lines 12 to 18 in 6b1fca2

class BadRequestException extends HttpCodeException
{
public function __construct($message)
{
parent::__construct($message, $code = 400);
}
}

@peterhashair peterhashair added Needs Review PRs that need a code review and removed Needs Review PRs that need a code review labels Nov 3, 2022
@github-actions github-actions bot added the Stale The label used by the Close Stale Issues action label Dec 19, 2022
sgiehl
sgiehl requested changes Dec 19, 2022
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
update from 403 to 401
dcc2591 
update from 403 to 401
@peterhashair peterhashair removed the Stale The label used by the Close Stale Issues action label Dec 21, 2022
@github-actions
Copy link
Contributor

This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers

@github-actions github-actions bot added the Stale The label used by the Close Stale Issues action label Dec 29, 2022
@mattab mattab added the 5.0.0 label Jan 4, 2023
@bx80
Copy link
Contributor

bx80 commented Jan 16, 2023

@sgiehl Was the update to the changelog the only outstanding issue you had with this PR?

@bx80 bx80 removed the Stale The label used by the Close Stale Issues action label Jan 16, 2023
@sgiehl
Copy link
Member

sgiehl commented Jan 16, 2023

I think so. But we might still need to ensure that this change only affects those parts is was meant for.

@github-actions
Copy link
Contributor

This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers

@github-actions github-actions bot added the Stale The label used by the Close Stale Issues action label Jan 24, 2023
@bx80 bx80 changed the title update status code to 401 when invalid token in API Return a 401 error code for invalid tokens in API requests Feb 1, 2023
@bx80
Copy link
Contributor

bx80 commented Feb 1, 2023

@sgiehl I've fixed the integration test which now correctly checks for a 401 if an invalid token is used. All other access tests are passing. Can you give this a (hopefully) final review when you get a chance?

@bx80 bx80 requested a review from sgiehl February 1, 2023 22:26
@bx80 bx80 removed the Stale The label used by the Close Stale Issues action label Feb 1, 2023
sgiehl
sgiehl requested changes Feb 2, 2023
View reviewed changes
Copy link
Member

@sgiehl sgiehl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some more changes needed

core/Exception/InvalidRequestParameterException.php Outdated Show resolved Hide resolved
core/NoAccessException.php Outdated Show resolved Hide resolved
core/NoAccessException.php Outdated Show resolved Hide resolved
core/Http/BadRequestException.php Outdated Show resolved Hide resolved
@bx80 bx80 requested a review from sgiehl February 3, 2023 01:55
@sgiehl sgiehl merged commit 8eb30ef into 5.x-dev Feb 3, 2023
@sgiehl sgiehl deleted the m18055 branch February 3, 2023 08:41
@sgiehl sgiehl changed the title Return a 401 error code for invalid tokens in API requests Return status code 401 for invalid tokens in API requests May 16, 2023
@sgiehl sgiehl mentioned this pull request Sep 25, 2023
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgiehl sgiehl sgiehl approved these changes

Assignees
No one assigned
Labels
Needs Review PRs that need a code review
Projects
None yet
Milestone
5.0.0
Development

Successfully merging this pull request may close these issues.

Request with invalid token_auth responds 200 OK
4 participants
@peterhashair @sgiehl @bx80 @mattab