search

International-Data-Spaces-Association / ids-specification

The Dataspace Protocol is a set of specifications designed to facilitate interoperable data sharing between entities governed by usage control and based on Web technologies. These specifications define the schemas and protocols required for entities to publish data, negotiate Agreements, and access data in a data space
https://docs.internationaldataspaces.org/dataspace-protocol/
Apache License 2.0
26 stars 14 forks source link

Incorrect HTTP Response Status Code for Unauthorized Access #248

Open hqarawlus opened 4 months ago

hqarawlus commented 4 months ago

Hello,

I noticed an incorrect HTTP Response Status code being returned on the specification definition pages of Contract Negotiation and Transfer Process. The specifications define a return code 404 (Not Found) in case of Unauthorized Access. I am curious to why this code was chosen instead of the widely known and used 401 (Unauthorized Access)?

Here are the snippets where I found the use of 404.

Thanks in advance!

https://github.com/International-Data-Spaces-Association/ids-specification/blob/36960607a67793e3fc5089655102ac6d5b9b5445/negotiation/contract.negotiation.binding.https.md?plain=1#L80-L82

https://github.com/International-Data-Spaces-Association/ids-specification/blob/36960607a67793e3fc5089655102ac6d5b9b5445/transfer/transfer.process.binding.https.md?plain=1#L45-L47

juliapampus commented 4 months ago

We've discussed that in the group some weeks ago. For security reasons, it is common practice to return a 404 instead of a 401 or 403 to avoid drawing conclusions about the existence or non-existence of a resource (negotiation, transfer).

hqarawlus commented 4 months ago

Thanks for the response. I believe however 404 is being misused here, since it is designed to specifically indicate that an endpoint does not exist. In this scenario, a more generic code (400 - Bad Request) should be returned whenver a certain criteria is not fulfilled in order to maintain the security level. Nevertheless, since the IDSA is working outside the defined HTTP standard codes here, it would be helpful to mention in the documentation that the standard is not being followed.