New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Return status code 401 for invalid tokens in API requests #19813
Conversation
send respond 401 when invalid token provide
update status code
# Conflicts: # CHANGELOG.md
update status code
Maybe the CHANGELOG wording needs an update. |
revert code format changes
add status code test on token invalid
Maybe we don't need this change. if ($referrer && $matomoUrl && Url::isValidHost(Url::getHostFromUrl($referrer)) &&
strpos($referrer, $matomoUrl) === 0
) {
Common::sendResponseCode(440); |
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe better give this one a new try. It can't / doesn't work the way it's implemented.
- On the login page, the CSS fails to load, as it results in a 401 response
- The 440 response code is actually a special IIS code, not sure if we should use it, as no one might expect it
- Currently any method using one of the
Access::check*
methods might end up in a 401 response, which also affects the UI and not only API - You should not adjust the response code in Access class, as you can't know if exceptions thrown there, are not caught and ignored.
revert access change Api responseBuillder
update tests
@sgiehl yeah, removed from |
Checking the trace for a certain method doesn't seem to be something we should consider doing. Isn't the method throwing a certain exception that can be checked for? In general I guess my approach would have been to convert |
@sgiehl it seems like the matomo/core/Http/BadRequestException.php Lines 12 to 18 in 6b1fca2
|
update from 403 to 401
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
@sgiehl Was the update to the changelog the only outstanding issue you had with this PR? |
I think so. But we might still need to ensure that this change only affects those parts is was meant for. |
This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers |
@sgiehl I've fixed the integration test which now correctly checks for a 401 if an invalid token is used. All other access tests are passing. Can you give this a (hopefully) final review when you get a chance? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some more changes needed
Description:
Fixes: #18055
update the status code to 401 when an invalid token in API
Review