Skip to content

Fail basic auth with wrong token on apis

Giorgenes Gelatti requested to merge fail-basic-auth-apis into master

What does this MR do?

When using basic auth in the API, the API will behave as if the authentication wasn't provided in case the provided token is not found. This is reflected in current specs that allow for public access even when the wrong token is provided.

I believe this to be an unexpected behavior for the user as they are not getting the correct error code upon failed authentication.

If the user provides an authentication method and the authentication doesn't match it should not behave as a public access.

For example, in the composer specs (https://gitlab.com/gitlab-org/gitlab/blob/ad7f54d109ad1806970484dcacaef55d0ade988f/spec/requests/api/composer_packages_spec.rb#L28), a token with value wrong is passed during tests and, even though the token is not found, the API behaves as a public access instead of throwing an authentication error on the invalid token.

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Giorgenes Gelatti

Merge request reports

Loading