Throw an error on invalid credentials

[meisterT]

When downloading data via the API, we determine the data to expose based on the user role.

Currently, if you pass incorrect credentials, we just fall back to public data. It would be better to fail hard to clearly indicate that credentials should be corrected.

[vmcj]

When downloading data via the API, we determine the data to expose based on the user role.

Currently, if you pass incorrect credentials, we just fall back to public data. It would be better to fail hard to clearly indicate that credentials should be corrected.

I'm not sure if I agree, in this specific case we could have tested against the /account endpoint and see if we had the needed access. It feels like a security flaw to acknowledge when people have the wrong credentials as depending on implementation this would open up for an user enumeration attack.

[eldering]

There is no enumeration attack: if you provide invalid an user/password combination then we can return a 401 error code. That only means that that user/password combination is invalid, not that the user exists.

I think I agree that returning a 401 is better than just falling back to public data.

[nickygerritsen]

When do you get this? If I use HTTPie to get an API endpoint with an invalid user, I get a HTTP/1.1 401 Unauthorized.

[vmcj]

When do you get this? If I use HTTPie to get an API endpoint with an invalid user, I get a HTTP/1.1 401 Unauthorized.

I think the case was for a situation where you don't authenticate at all and receive public data. @tuupke encountered this with Ansible for EUC IIRC.

[nickygerritsen]

But there is nothing we can do there, is there? You are allowed to get public data…

[meisterT]

@tuupke do you remember on which endpoint this happened?