API authentication vs authorization (401 vs 403)

rheitman · April 15, 2022, 11:55:28 AM

I just figured out, that the API responds with an 401 for the case the authentication is fine (regarding key/secret) but the API-Access hasn't been granted.

Easy to reproduce: just not allow the user/group access to
Type Name
GUI System: Firmware

https://docs.opnsense.org/development/how-tos/api.html

=> the API responds with an 401 ({"status":401,"message":"Authentication Failed"})

That's IMHO not the best solution possible according to https://www.rfc-editor.org/rfc/rfc7235.html:

Code Select

A server that receives valid credentials that are not adequate to gain access ought to respond with the
403 (Forbidden) status code

.

API authentication vs authorization (401 vs 403)

rheitman

April 15, 2022, 11:55:28 AM