Empty private-token for api call results in "404 Project Not Found"

Summary

If an empty "PRIVATE-TOKEN" is passed to gitlab api call to get a project, it returns "404 not found" Expectation is it returns "401 Unauthorized" same as what happens when you enter a wrong password.

Steps to reproduce

--> Test with a wrong API-key, we have a meaningful error message

D:>curl --request GET --header "PRIVATE-TOKEN: asdf" "https://gitlab.com/api/v4/projects/celal%2Esahin%2Fcelal_test_123"

{"message":"401 Unauthorized"}

--> Test with a EMPTY API-key, error message says "Project Not Found" & this is quite misleading.

D:>curl --request GET --header "PRIVATE-TOKEN: " "https://gitlab.com/api/v4/projects/celal%2Esahin%2Fcelal_test_123"

{"message":"404 Project Not Found"}

Example Project

You can use any project, above is my example from directly gitlab.com itself.

What is the current bug behavior?

When you provide an empty "API-key" to above curl call, it returns "project not found"

What is the expected correct behavior?

It should return 401 unauthorized like it does on wrong api-key. Otherwise it is misleading.

Relevant logs and/or screenshots

See above - it is possible to replicate on gitlab.com

Output of checks

This bug happens on GitLab.com

Edited Nov 14, 2019 by Celal