Not accurate error message for invalid authenticated requests

api/auth/center.go

@@ -144,7 +144,7 @@
 	if queryValues.Get(AmzAlgorithm) == "AWS4-HMAC-SHA256" {
 		creds := strings.Split(queryValues.Get(AmzCredential), "/")
 		if len(creds) != 5 || creds[4] != "aws4_request" {
-			return nil, fmt.Errorf("bad X-Amz-Credential")
+			return nil, s3errors.GetAPIError(s3errors.ErrCredMalformed)
 		}
 		authHdr = &authHeader{
 			AccessKeyID:  creds[0],
@@ -236,9 +236,9 @@
 		return nil, ErrNoAuthorizationHeader
 	}
 
-	submatches := c.postReg.GetSubmatches(MultipartFormValue(r, "x-amz-credential"))
+	submatches := c.postReg.GetSubmatches(MultipartFormValue(r, strings.ToLower(AmzCredential)))
 	if len(submatches) != 4 {
-		return nil, s3errors.GetAPIError(s3errors.ErrAuthorizationHeaderMalformed)
+		return nil, s3errors.GetAPIError(s3errors.ErrCredMalformed)
 	}
 
 	signatureDateTime, err := time.Parse("20060102T150405Z", MultipartFormValue(r, "x-amz-date"))

api/auth/signer/v4/v4.go

@@ -78,6 +78,8 @@
 	authHeaderSignatureElem = "Signature="
 	signatureQueryKey       = "X-Amz-Signature"
 
+	amzCredential = "X-Amz-Credential"
+
 	authHeaderPrefix = "AWS4-HMAC-SHA256"
 	timeFormat       = "20060102T150405Z"
 	shortTimeFormat  = "20060102"
@@ -597,7 +599,7 @@
 	ctx.credentialString = buildSigningScope(ctx.Region, ctx.ServiceName, ctx.Time)
 
 	if ctx.isPresign {
-		ctx.Query.Set("X-Amz-Credential", ctx.credValues.AccessKeyID+"/"+ctx.credentialString)
+		ctx.Query.Set(amzCredential, ctx.credValues.AccessKeyID+"/"+ctx.credentialString)
 	}
 }
 
@@ -747,7 +749,7 @@
 	ctx.Query.Del("X-Amz-Security-Token")
 	ctx.Query.Del("X-Amz-Date")
 	ctx.Query.Del("X-Amz-Expires")
-	ctx.Query.Del("X-Amz-Credential")
+	ctx.Query.Del(amzCredential)
 	ctx.Query.Del("X-Amz-SignedHeaders")
 }
 

api/user_auth.go

@@ -37,7 +37,8 @@ func AttachUserAuth(router *mux.Router, center auth.Center, log *zap.Logger) {
 					ctx = context.WithValue(r.Context(), AnonymousRequest, true)
 				} else {
 					log.Error("failed to pass authentication", zap.Error(err))
-					if _, ok := err.(s3errors.Error); !ok {
+					var s3err s3errors.Error
+					if !errors.As(err, &s3err) {
 						err = s3errors.GetAPIError(s3errors.ErrAccessDenied)
 					}
 					WriteErrorResponse(w, GetReqInfo(r.Context()), err)