studio/docs
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

♻️(frontend) following HTTP standards on auth

Browse Source 
Return 401 Unauthorized for missing/invalid API keys (per RFC 7235);
403 is reserved for valid-but-forbidden credentials.

Signed-off-by: Stephan Meijer <me@stephanmeijer.com>
This commit is contained in:
Stephan Meijer
2025-07-04 11:57:06 +02:00
parent a9db392a61
commit cef2d274fc
3 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/frontend/servers/y-provider/__tests__/collaborationResetConnections.test.ts
View File

@@ -24,7 +24,7 @@ describe('Server Tests', () => {
.set('Origin', origin)
.set('Authorization', 'wrong-api-key');
expect(response.status).toBe(403);
expect(response.status).toBe(401);
expect(response.body).toStrictEqual({
error: 'Forbidden: Invalid API Key',
});

6
src/frontend/servers/y-provider/__tests__/convert.test.ts
View File

@@ -21,7 +21,7 @@ import {
console.error = vi.fn();
describe('Server Tests', () => {
test('POST /api/convert with incorrect API key should responds with 403', async () => {
test('POST /api/convert with incorrect API key should responds with 401', async () => {
const app = initApp();
const response = await request(app)
@@ -29,7 +29,7 @@ describe('Server Tests', () => {
.set('Origin', origin)
.set('Authorization', 'wrong-api-key');
expect(response.status).toBe(403);
expect(response.status).toBe(401);
expect(response.body).toStrictEqual({
error: 'Forbidden: Invalid API Key',
});
@@ -44,7 +44,7 @@ describe('Server Tests', () => {
.set('Authorization', 'Bearer test-secret-api-key');
// Warning: Changing the authorization header to Bearer token format will break backend compatibility with this microservice.
expect(response.status).toBe(403);
expect(response.status).toBe(401);
expect(response.body).toStrictEqual({
error: 'Forbidden: Invalid API Key',
});

3
src/frontend/servers/y-provider/src/middlewares.ts
View File

@@ -27,8 +27,9 @@ export const httpSecurity = (
// Secret API Key check
// Note: Changing this header to Bearer token format will break backend compatibility with this microservice.
const apiKey = req.headers['authorization'];
if (!apiKey || !VALID_API_KEYS.includes(apiKey)) {
res.status(403).json({ error: 'Forbidden: Invalid API Key' });
res.status(401).json({ error: 'Forbidden: Invalid API Key' });
return;
}