Return 401 instead and fix some tests

amiedes · amiedes · commit 05acb01d3eac · 2021-07-22T13:39:33.000+02:00
diff --git a/lib/api/middlewares/authorization.js b/lib/api/middlewares/authorization.js
@@ -8,10 +8,14 @@ module.exports = function authorization (metadataBackend, forceToBeMaster = fals
         const { user } = res.locals;
         const credentials = getCredentialsFromRequest(req);
 
-        if (!userMatches(credentials, user) || !credentials.apiKeyToken) {
+        if (!userMatches(credentials, user)) {
             req.profiler.done('authorization');
 
             return next(new Error('permission denied'));
+        } else if (!credentials.apiKeyToken) {
+            req.profiler.done('authorization');
+
+            return next(new Error('unauthorized'));
         }
 
         res.locals.api_key = credentials.apiKeyToken;
diff --git a/lib/services/error-handler.js b/lib/services/error-handler.js
@@ -32,6 +32,8 @@ class ErrorHandler extends Error {
     getHttpStatus (httpStatus = 400) {
         if (this.message.includes('permission denied')) {
             return 403;
+        } else if (this.message.includes('unauthorized')) {
+            return 401;
         }
 
         return httpStatus;
diff --git a/test/acceptance/app-auth-test.js b/test/acceptance/app-auth-test.js
@@ -8,9 +8,9 @@ var assert = require('../support/assert');
 describe('app.auth', function () {
     var scenarios = [
         {
-            desc: 'no api key should fallback to default api key',
+            desc: 'no api key should return 401',
             url: '/api/v1/sql?q=SELECT%20*%20FROM%20untitle_table_4',
-            statusCode: 200
+            statusCode: 401
         },
         {
             desc: 'invalid api key should return 401',
@@ -35,12 +35,12 @@ describe('app.auth', function () {
         {
             desc: 'no api key should NOT allow insert in protected tables',
             url: "/api/v1/sql?q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('RAMBO')",
-            statusCode: 403
+            statusCode: 401
         },
         {
             desc: 'no api key should NOT allow insert in public tables',
             url: "/api/v1/sql?q=INSERT%20INTO%20untitle_table_4%20(name)%20VALUES%20('RAMBO')",
-            statusCode: 403
+            statusCode: 401
         }
     ];
 

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,8 @@ class ErrorHandler extends Error {`
`32`	`32`	`getHttpStatus (httpStatus = 400) {`
`33`	`33`	`if (this.message.includes('permission denied')) {`
`34`	`34`	`return 403;`
	`35`	`+ } else if (this.message.includes('unauthorized')) {`
	`36`	`+ return 401;`
`35`	`37`	`}`
`36`	`38`
`37`	`39`	`return httpStatus;`
Original file line number	Diff line number	Diff line change
`@@ -8,9 +8,9 @@ var assert = require('../support/assert');`
`8`	`8`	`describe('app.auth', function () {`
`9`	`9`	`var scenarios = [`
`10`	`10`	`{`
`11`		`- desc: 'no api key should fallback to default api key',`
	`11`	`+ desc: 'no api key should return 401',`
`12`	`12`	`url: '/api/v1/sql?q=SELECT%20*%20FROM%20untitle_table_4',`
`13`		`- statusCode: 200`
	`13`	`+ statusCode: 401`
`14`	`14`	`},`
`15`	`15`	`{`
`16`	`16`	`desc: 'invalid api key should return 401',`
`@@ -35,12 +35,12 @@ describe('app.auth', function () {`
`35`	`35`	`{`
`36`	`36`	`desc: 'no api key should NOT allow insert in protected tables',`
`37`	`37`	`url: "/api/v1/sql?q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('RAMBO')",`
`38`		`- statusCode: 403`
	`38`	`+ statusCode: 401`
`39`	`39`	`},`
`40`	`40`	`{`
`41`	`41`	`desc: 'no api key should NOT allow insert in public tables',`
`42`	`42`	`url: "/api/v1/sql?q=INSERT%20INTO%20untitle_table_4%20(name)%20VALUES%20('RAMBO')",`
`43`		`- statusCode: 403`
	`43`	`+ statusCode: 401`
`44`	`44`	`}`
`45`	`45`	`];`
`46`	`46`