-
Notifications
You must be signed in to change notification settings - Fork 248
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Throw an error on invalid credentials #2479
Comments
I'm not sure if I agree, in this specific case we could have tested against the |
There is no enumeration attack: if you provide invalid an user/password combination then we can return a 401 error code. That only means that that user/password combination is invalid, not that the user exists. I think I agree that returning a 401 is better than just falling back to public data. |
When do you get this? If I use HTTPie to get an API endpoint with an invalid user, I get a |
I think the case was for a situation where you don't authenticate at all and receive public data. @tuupke encountered this with Ansible for EUC IIRC. |
But there is nothing we can do there, is there? You are allowed to get public data… |
@tuupke do you remember on which endpoint this happened? |
When downloading data via the API, we determine the data to expose based on the user role.
Currently, if you pass incorrect credentials, we just fall back to public data. It would be better to fail hard to clearly indicate that credentials should be corrected.
The text was updated successfully, but these errors were encountered: