OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 22.1 Legacy Series »
  • API authentication vs authorization (401 vs 403)
« previous next »
  • Print
Pages: [1]

Author Topic: API authentication vs authorization (401 vs 403)  (Read 1169 times)

rheitman

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
API authentication vs authorization (401 vs 403)
« on: April 15, 2022, 11:55:28 am »
I just figured out, that the API responds with an 401 for the case the authentication is fine (regarding key/secret) but the API-Access hasn't been granted.

Easy to reproduce: just not allow the user/group access to
Type    Name
GUI    System: Firmware

https://docs.opnsense.org/development/how-tos/api.html

=> the API responds with an 401 ({"status":401,"message":"Authentication Failed"})

That's IMHO not the best solution possible according to https://www.rfc-editor.org/rfc/rfc7235.html:
Code: [Select]
A server that receives valid credentials that are not adequate to gain access ought to respond with the
403 (Forbidden) status code.


Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 22.1 Legacy Series »
  • API authentication vs authorization (401 vs 403)
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2