API: /auth/login returns 400 when password is empty

Traewelling / traewelling

Free check-in service to log your public transit journeys

https://traewelling.de

GNU Affero General Public License v3.0

231 stars 46 forks source link

API: /auth/login returns 400 when password is empty #95

Closed xanderio closed 4 years ago

xanderio commented 4 years ago

Describe the bug When sending a request to the /auth/login endpoint with the password field being a empty string, it returns a 400 bad request.

To Reproduce Steps to reproduce the behavior: curl 'https://traewelling.de/api/v0/auth/login' -H 'content-type: application/json' --data-raw '{"email":"traewelling@example.com","password":""}'

See HTTP status code

Expected behavior Responses with 401 Unauthorized.

jeyemwey commented 4 years ago

400 Bad Request is the expected behaviour if you know the code (which is validating the input first and only then checks against the users table).

I would even argue that 400 fits better than 401 since it distinguishes a possible programming error by the API developer (in which no or an empty password is transferred) from a formally-correct request that accidentally contains bad user information.

xanderio commented 4 years ago

Now that i think about it both status codes are "correct" to use here, but 400 defiantly sound better with your reasoning.