Meta endpoint: a response to invalid auth creds is HTTP-indistinguishable from a successful response

[jpluscplusm]

Providing an Authorization header containing invalid credentials to the meta API endpoint can't be distinguished from a successful request at the HTTP layer:

$ curl --write-out "\nhttp_code: %{http_code}\n" https://log-cache.[DOMAIN]/v1/meta -H "Accept:text/plain" -H'Authorization: invalid'
{"meta":{}}
http_code: 200

We're finding that this makes troubleshooting the consumption of log-cache by our adapter (https://github.com/alphagov/paas-log-cache-adapter, which provides a /metrics endpoint for prometheus) interesting.

Specifically, if a platform tenant misconfigures their credentials, then unless we assume that an empty meta response == "invalid creds", then we can't provide them with a hint that they should check their credentials.

Is it possible to more clearly indicate the authentication failure, perhaps via an HTTP 4XX response?

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/161422542

The labels on this github issue will be updated when the story is started.

[johannaratliff]

@jpluscplusm I was assuming this was an issue against 404ing, but the 200 is surprising. Are you using the cf-auth-proxy pattern (you would have to write an equivalent auth proxy if not using a Cloud Foundry). Because on invalid auth against an oauth2 server, our auth proxy would cause a 404 I believe here.

[jpluscplusm]

Apologies, I'm no longer (and wasn't when you asked!) on the team managing the platform observing this problem.

Please close this issue if you'd like - I can't see me being able to update it with more info.