Consider responding with a 401 instead of 404 on unauthenticated request to`GET /api/:version/packages/npm/*package_name`
Opening this issue from investigating a intermittent user issue in which subsequent requests from GitLab CI either return 404
or 200
s.
On further investigation, it appears that the server is actually intermittently rejecting the authentication on the 404
responses, which is very confusing.
At present, if an unauthenticated request is made to a private package in the package repository, the server responds with a 404.
This could be confusing to users, since they may assume that the package does not exist, rather than focus on the fact that the request is not authenticated.
I appreciate the reason for doing this is to hide the existence of private packages, but perhaps the logic should rather be:
- If the package is public and the request is unauthenticated, return a
200
response - If the request is unauthenticated, and the package private or does not exist, return a
401
, requesting authentication. - If the request is authenticated, and the user has access return a
200
response - If the request is authenticated, and the user either does not have access or the package does not exist, return a
404
.