[TT-8675] Inconsistent status codes for some messages

[mcandre]

Branch/Environment/Version

• Branch/Version: 2.9.4

Describe the bug

The response body

{
    "error": "Authorization field missing"
}

has different status codes, such as 400 and 401, in different parts of the codebase.

[rossjones]

I came to report the same error.

We've setup an instance checking JWT with rsa256/jwks, but missing Authorization headers are reported as 400 instead of 401.

In https://github.com/TykTechnologies/tyk/blob/d88e9a57baf1d85de449a09e03f0f5d34b341fbe/gateway/handler_error.go#L37 it has both:

    TykErrors[ErrAuthAuthorizationFieldMissing] = config.TykError{
        Message: "Authorization field missing",
        Code:    http.StatusUnauthorized,
    }

and

    TykErrors[ErrOAuthAuthorizationFieldMissing] = config.TykError{
        Message: "Authorization field missing",
        Code:    http.StatusBadRequest,
    }

Was this intentional or should I submit a PR?

[christtyk]

hey @buger can you confirm expected behaviour? @rossjones we'll gladly accept a PR 🚀 I'll defer to my colleague on expected behaviour

[ca-simone-chiorazzo]

Hi @christtyk @buger,

is there any update on this?

We're facing the same issue reported by @mcandre @rossjones .

We expect to have 401 in case of missing, malformed and invalid credentials. Returning 400 does not allow us to have an auto-detect mechanism on authentication failed.

[andyo-tyk]

Thanks everyone for raising these inconsistencies.

We're planning to perform a full review of HTTP error codes (and messages) later this year - but of course have to take into account the risks of breaking changes for users who have already integrated the existing response codes into their systems.

I'll leave this issue open - please add any other inconsistent (or even incorrect) codes/messages to the list so that we can pick them up when we bring this into delivery.

Thank you for supporting Tyk!