Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return 401 for API requests with invalid Authorization headers #3626

Closed
sarayourfriend opened this issue Jan 4, 2024 · 0 comments · Fixed by #4126
Closed

Return 401 for API requests with invalid Authorization headers #3626

sarayourfriend opened this issue Jan 4, 2024 · 0 comments · Fixed by #4126
Assignees
@sarayourfriend
Labels
🕹 aspect: interface Concerns end-users' experience with the software ✨ goal: improvement Improvement to an existing user-facing feature 🟨 priority: medium Not blocking but should be addressed soon 🧱 stack: api Related to the Django API

Comments

@sarayourfriend
Copy link
Collaborator

Problem

The API automatically downgrades requests with invalid authentication details to an anonymous request. This has two problems:

  1. It does not give clear feedback to API users that their credentials are incorrect
  2. It can open up ways of bypassing anonymous rate limiting structures that exist before the API handles the request (these do not yet exist but will eventually)

Description

Requests where "Authorization" in requests.HEADERS and not request.auth should be rejected with a 401 response, with an explanation that authentication failed due to invalid credentials.

Additional context

Related to this issue to combine anonymous rate limiting from the frontend and API: https://github.com/WordPress/openverse-infrastructure/issues/746
@sarayourfriend sarayourfriend added 🟨 priority: medium Not blocking but should be addressed soon ✨ goal: improvement Improvement to an existing user-facing feature 🕹 aspect: interface Concerns end-users' experience with the software 🧱 stack: api Related to the Django API labels Jan 4, 2024
@openverse-bot openverse-bot moved this to 📋 Backlog in Openverse Backlog Jan 4, 2024
@carlosm22700 carlosm22700 mentioned this issue Jan 15, 2024
Closed
8 tasks
@openverse-bot openverse-bot moved this from 📋 Backlog to 🏗 In Progress in Openverse Backlog Jan 15, 2024
@zackkrida zackkrida moved this from 🏗 In Progress to 📅 To Do in Openverse Backlog Mar 18, 2024
@sarayourfriend sarayourfriend self-assigned this Apr 16, 2024
@sarayourfriend sarayourfriend moved this from 📅 To Do to 🏗 In Progress in Openverse Backlog Apr 16, 2024
@sarayourfriend sarayourfriend mentioned this issue Apr 16, 2024
Merged
7 tasks
@openverse-bot openverse-bot moved this from 🏗 In Progress to ✅ Done in Openverse Backlog Apr 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sarayourfriend sarayourfriend

Labels
🕹 aspect: interface Concerns end-users' experience with the software ✨ goal: improvement Improvement to an existing user-facing feature 🟨 priority: medium Not blocking but should be addressed soon 🧱 stack: api Related to the Django API
Projects
Openverse Backlog
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Respond with 401 for requests with bad credentials WordPress/openverse
1 participant
@sarayourfriend