fix(SecurityMiddleware): return header to distinguish error type#58869
Conversation
Currently we return a 403 (Forbidden) when the password confirmation failed - which itself seems to be inappropriate as its basically a login failing so a 401 (not authorized) is more appropriate. This is especially a problem because APIs might return 403 internally for good reason (e.g. user missing permission) but 401 would not be a problem. But as this is a breaking change so my solution to be able to distinguish API error from password confirmation error is: Add a header inside the response that marks failed password confirmation `X-NC-Auth-NotConfirmed`. Signed-off-by: Ferdinand Thiessen <[email protected]>
|
/backport to stable32 |
|
/backport to stable33 |
|
/backport to stable33 |
|
In thread #58869, only a less-than-ideal error description is being criticized—not the occurrence of the error itself. Correct error messages are nice and helpful, but they don't resolve the underlying issue. If an error description is duplicated, please refer to a thread where the error has already been described. I can't find anything comparable that refers to the Nextcloud authorization problem described here, rather than authorization errors on external storage. That's a crucial distinction. Therefore, the error described HERE has definitely NOT been fixed. It's extremely demotivating when error messages are handled this way. |
Summary
Currently we return a 403 (Forbidden) when the password confirmation failed - which itself seems to be inappropriate as its basically a login failing so a 401 (not authorized) is more appropriate.
This is especially a problem because APIs might return 403 internally for good reason (e.g. user missing permission) but 401 would not be a problem.
But as this is a breaking change so my solution to be able to distinguish API error from password confirmation error is:
Add a header inside the response that marks failed password confirmation
X-NC-Auth-NotConfirmed.Checklist
3. to review, feature component)stable32)AI (if applicable)