Show Posts
1
22.1 Legacy Series / API authentication vs authorization (401 vs 403)
« on: April 15, 2022, 11:55:28 am »
I just figured out, that the API responds with an 401 for the case the authentication is fine (regarding key/secret) but the API-Access hasn't been granted.
Easy to reproduce: just not allow the user/group access to
Type Name
GUI System: Firmware
https://docs.opnsense.org/development/how-tos/api.html
=> the API responds with an 401 ({"status":401,"message":"Authentication Failed"})
That's IMHO not the best solution possible according to https://www.rfc-editor.org/rfc/rfc7235.html:
Easy to reproduce: just not allow the user/group access to
Type Name
GUI System: Firmware
https://docs.opnsense.org/development/how-tos/api.html
=> the API responds with an 401 ({"status":401,"message":"Authentication Failed"})
That's IMHO not the best solution possible according to https://www.rfc-editor.org/rfc/rfc7235.html:
Code: [Select]
A server that receives valid credentials that are not adequate to gain access ought to respond with the
403 (Forbidden) status code.