Fail basic auth with wrong token on apis
What does this MR do?
When using basic auth in the API, the API will behave as if the authentication wasn't provided in case the provided token is not found. This is reflected in current specs that allow for public access even when the wrong token is provided.
I believe this to be an unexpected behavior for the user as they are not getting the correct error code upon failed authentication.
If the user provides an authentication method and the authentication doesn't match it should not behave as a public access.
For example, in the composer specs (https://gitlab.com/gitlab-org/gitlab/blob/ad7f54d109ad1806970484dcacaef55d0ade988f/spec/requests/api/composer_packages_spec.rb#L28), a token with value wrong
is passed during tests and, even though the token is not found, the API behaves as a public access instead of throwing an authentication error on the invalid token.
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team