[BUG] incorrect HTTP response (404) on ACL fail in wforce 2.6.1 (should be 401)

Question

[BUG] incorrect HTTP response (404) on ACL fail in wforce 2.6.1 (should be 401)

sshipway opened this issue 3 years ago · 2 comments

Describe the bug
When weakforced is queried by a host not in the ACL, it returns a 404 status. This should be either a 401, or else a 200 with an API failure status in the returned JSON (this was the behaviour under 2.4).

To Reproduce
Send a request to weakforced /?command=ping with the correct credentials, from a client not in the server ACL. Verify response code

curl -w " HTTP Status %{http_code}" -Ss1 -H "Authorization: Basic $AUTH" "http://$ENDPOINT:8084/?command=ping"

Expected behavior
Ideally, a 401response with a JSON body containing a weakforced error.
Failing that, the same behaviour as in 2.4, which was a 200 response with a JSON-formatted error message

Screenshots
n/a

OS (please complete the following information):

OS: Centos
Version 7

Additional context
This was discovered because it broke our monitoring and unit tests after upgrading to 2.6.1

Standard REST behaviour would be a 401 response for ACL failure and also for authentication failure. An incorrect password does return a 401 status and JSON error in weakforced, as expected.

Answer 1 · 2022-03-11T08:43:07.000Z

Yes thanks for reporting this Steve, I will fix this in 2.6.2

Answer 2 · 2022-03-11T08:44:30.000Z

The behaviour will be the same as for authentication failure, i.e. 401 plus JSON error.