Fix API endpoint: Return 401 when the token is missing #133
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The API returned a 500 code when the token was missing. I've changed it, and now it returns a 401 code. The change affects all endpoints.
I think we could make other changes:
struct Unauthorized
.routes.rs
.authenticate
function should also return a 401 response instead oftoken not valid
when the token is present but not valid.GET /api/torrent/:info_hash
endpoint should return a 404 when the torrent does not exist and the token is valid.GET /api/torrent/:info_hash
should return a 404 when the torrent does not exist and the token is invalid. See Insecure Direct Object References (IDOR)). We should not expose that the tracker has a given torrent because the tracker could be private.DELETE /api/whitelist/:info_hash
endpoint should return: a "204 No Content" when it deletes the torrent and a "404 Not Found" when the torrent does not exist or the token is invalid.POST /api/whitelist/:info_hash
endpoint should return a "201 Created" response with the location of the new resourceGET /api/whitelist/:info_hash
. In this case we would need to create that new endpoint. It could be empty. It could be used only to know if a torrent is whitelisted. Alternatively, we could consider the whitelist a unique resource and use aPUT /api/whitelist/:info_hash
to add a new torrent to the list.POST /api/key/:seconds_valid
endpoint should return a "201 Created".DELETE /api/key/:key
should should return "204 No Content".GET /api/whitelist/reload
endpoint should be aPOST
,PUT
orPATCH
. This endpoint is a little weird, it's like a remote command. I think I should have usePOST /api/commands
with the command you want to execute in the request body orPOST /api/reload-whitelist
.GET /api/keys/reload
@WarmBeer @da2ce7 do you think those changes make sense? If you do, should I make them now or postpone them?