Respond with 401 instead of 404 on npm unauthenticated requests
What does this MR do and why?
At present, if an unauthenticated request is made to the metadata
endpoint or the list-tags
endpoint of a private package in the npm Registry, the server responds with a 404
.
This could be confusing to users, since they may assume that the package does not exist, rather than focus on the fact that the request is not authenticated.
In this MR, we changed this behavior so the server would respond with a 401
instead of 404
.
The following table summarizes how the server responds after the MR changes:
No auth | auth + not allowed | auth + allowed | |
---|---|---|---|
public | 200 | 200 | 200 |
private | 401 | 404 | 200 |
non existing | 401 | 404 | 404 |
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Executing the following curl requests should result in {"message":"401 Unauthorized"}
curl --header "Authorization: Bearer" "http://gdk.test:3000/api/v4/projects/<project_id>/packages/npm/<package_name>"
curl --header "Authorization: Bearer" "http://gdk.test:3000/api/v4/projects/<project_id>/packages/npm/-/package/<package_name>/dist-tags"
Executing the same on master would result in {"message":"404 Project Not Found","error":"Project not found"}
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #334897 (closed)