studio/docs
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

♻️(frontend) following HTTP standards on auth

Browse Source 
Return 401 Unauthorized for missing/invalid API keys (per RFC 7235);
403 is reserved for valid-but-forbidden credentials.

Signed-off-by: Stephan Meijer <me@stephanmeijer.com>
This commit is contained in:
Stephan Meijer
2025-07-04 11:57:06 +02:00
parent a9db392a61
commit cef2d274fc
3 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/frontend/servers/y-provider/__tests__/collaborationResetConnections.test.ts
View File

@@ -24,7 +24,7 @@ describe('Server Tests', () => {
.set('Origin', origin) .set('Origin', origin)
.set('Authorization', 'wrong-api-key'); .set('Authorization', 'wrong-api-key');
expect(response.status).toBe(403); expect(response.status).toBe(401);
expect(response.body).toStrictEqual({ expect(response.body).toStrictEqual({
error: 'Forbidden: Invalid API Key', error: 'Forbidden: Invalid API Key',
}); });

6
src/frontend/servers/y-provider/__tests__/convert.test.ts
View File

@@ -21,7 +21,7 @@ import {
console.error = vi.fn(); console.error = vi.fn();
describe('Server Tests', () => { describe('Server Tests', () => {
test('POST /api/convert with incorrect API key should responds with 403', async () => { test('POST /api/convert with incorrect API key should responds with 401', async () => {
const app = initApp(); const app = initApp();
const response = await request(app) const response = await request(app)
@@ -29,7 +29,7 @@ describe('Server Tests', () => {
.set('Origin', origin) .set('Origin', origin)
.set('Authorization', 'wrong-api-key'); .set('Authorization', 'wrong-api-key');
expect(response.status).toBe(403); expect(response.status).toBe(401);
expect(response.body).toStrictEqual({ expect(response.body).toStrictEqual({
error: 'Forbidden: Invalid API Key', error: 'Forbidden: Invalid API Key',
}); });
@@ -44,7 +44,7 @@ describe('Server Tests', () => {
.set('Authorization', 'Bearer test-secret-api-key'); .set('Authorization', 'Bearer test-secret-api-key');
// Warning: Changing the authorization header to Bearer token format will break backend compatibility with this microservice. // Warning: Changing the authorization header to Bearer token format will break backend compatibility with this microservice.
expect(response.status).toBe(403); expect(response.status).toBe(401);
expect(response.body).toStrictEqual({ expect(response.body).toStrictEqual({
error: 'Forbidden: Invalid API Key', error: 'Forbidden: Invalid API Key',
}); });

3
src/frontend/servers/y-provider/src/middlewares.ts
View File

@@ -27,8 +27,9 @@ export const httpSecurity = (
// Secret API Key check // Secret API Key check
// Note: Changing this header to Bearer token format will break backend compatibility with this microservice. // Note: Changing this header to Bearer token format will break backend compatibility with this microservice.
const apiKey = req.headers['authorization']; const apiKey = req.headers['authorization'];
if (!apiKey || !VALID_API_KEYS.includes(apiKey)) { if (!apiKey || !VALID_API_KEYS.includes(apiKey)) {
res.status(403).json({ error: 'Forbidden: Invalid API Key' }); res.status(401).json({ error: 'Forbidden: Invalid API Key' });
return; return;
} }