Service Authorization - Serve 401s instead of 400s

appirio-tech / lc1-project

Core challenge engine for Serenity Project

MIT License

6 stars 8 forks source link

Service Authorization - Serve 401s instead of 400s #411

Closed gaitonde closed 9 years ago

gaitonde commented 10 years ago

@indytechcook - A couple leading questions -

Can you detect if a Authorization header is being sent?
Can you detect if a Bearer token is sent?
Can you detect if a Bearer token is sent but invalid?

Currently the Challenge service is responding to the all the above w/ a 400. Ideally the service responds w/ a 401 when we don't detect a valid authorization. That way we can differentiate between errors and redirect the user to a login page when they are not logged in.

indytechcook commented 10 years ago

@gaitonde yes to all of those questions. Just 401 or would you like a custom message? Probably best if not so we don't give hints to hackers.

I actually prefer unauthorized requests to return a 404. Just the concept that you can't hack what doesn't exist.

gaitonde commented 10 years ago

I think GH also uses the returning of 404s approach. I like reducing the hackability, but it's really just security by obfuscation which really doesn't mean too much. It also causes more headaches in debugging.

I think we should go w/ a standard 401 w/ a simple "Unauthorized" message for now.

We can look at going w/ a 404 path later and apply across all of our APIs.