API v4 does not return 401 Auth error when sending incorrect credentials but returns full public resource list instead for several endpoints
Summary
This is a serious regression from the API v3.
When querying API v4 endpoints like /projects
and /groups
, which can return both authed-user-scoped and public items, the endpoint will return the full public list when sending incorrect authorization credentials instead of returning a 401 Unauthorized
response!
This leads to very large paginated result sets with thousands of items and there is no way of detecting that something went wrong on the side of an API client consumer.
The authentication method (OAuth vs. Personal Access Token) does not matter.
API v3 correctly returns a 401 Unauthorized
response (see log output below).
Steps to reproduce
- Run
curl -I --header "Authorization: Bearer FALSE" https://gitlab.com/api/v4/projects
- Note the
200 OK
status code and theX-Total-Pages
header (see log output below)
What is the current bug behavior?
API v4 endpoint appears to fall back to “Anonymous” access and returns all public items just as if no authorization info was sent.
What is the expected correct behavior?
API v4 endpoint sends a 401 Unauthorized
HTTP status code and error.
Relevant logs and/or screenshots
API v4
$ curl -I --header "Authorization: Bearer FALSE" https://gitlab.com/api/v4/projects
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Sep 2017 07:33:54 GMT
Content-Type: application/json
Content-Length: 10668
Cache-Control: max-age=0, private, must-revalidate
Etag: W/"11ab44341ace677846a9bf136b37cea3"
Link: <https://gitlab.com/api/v4/projects?archived=false&membership=false&order_by=created_at&owned=false&page=2&per_page=20&simple=false&sort=desc&starred=false&statistics=false&with_issues_enabled=false&with_merge_requests_enabled=false>; rel="next", <https://gitlab.com/api/v4/projects?archived=false&membership=false&order_by=created_at&owned=false&page=1&per_page=20&simple=false&sort=desc&starred=false&statistics=false&with_issues_enabled=false&with_merge_requests_enabled=false>; rel="first", <https://gitlab.com/api/v4/projects?archived=false&membership=false&order_by=created_at&owned=false&page=15830&per_page=20&simple=false&sort=desc&starred=false&statistics=false&with_issues_enabled=false&with_merge_requests_enabled=false>; rel="last"
Vary: Origin
X-Frame-Options: SAMEORIGIN
X-Next-Page: 2
X-Page: 1
X-Per-Page: 20
X-Prev-Page:
X-Request-Id: 18334aef-50dc-4ea8-972e-85e6d5207b1a
X-Runtime: 2.111566
X-Total: 316599
X-Total-Pages: 15830
Strict-Transport-Security: max-age=31536000
RateLimit-Limit: 600
RateLimit-Observed: 2
RateLimit-Remaining: 598
API v3
$ curl -I --header "Authorization: Bearer FALSE" https://gitlab.com/api/v3/projects
HTTP/1.1 401 Unauthorized
Server: nginx
Date: Wed, 27 Sep 2017 07:34:16 GMT
Content-Type: application/json
Content-Length: 30
Cache-Control: no-cache
Vary: Origin
X-Frame-Options: SAMEORIGIN
X-Request-Id: d35666a7-a31e-4997-91c2-d17dbe18c0ac
X-Runtime: 0.024779
RateLimit-Limit: 600
RateLimit-Observed: 3
RateLimit-Remaining: 597
Ping @DouweM