Meilisearch: 401 vs 403 for authentication

Created on 2 Jun 2020  路  3Comments  路  Source: meilisearch/MeiliSearch

In v0.10.X
Try to get settings if public key used -> 403
Try to get keys if private key used -> 403
Try search if no key -> 403

On master:
Try to get settings if public key used -> 401
Try to get keys if private key used -> 401
Try search if no key -> 403

I would expect the same behavior than in v0.10, with a little fix: if we don't provide any key (last case) MeiliSearch returns a 401.
cf: https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

Anyway, my suggestion:
Try to get settings if public key used -> 403
Try to get keys if private key used -> 403
Try search if no key -> 401

Tell me what you think.

Steps:

If you agree with my suggestion

  • [ ] Fix in the code
  • [ ] Add tests

Most helpful comment

yes sorry, that's what i meant :)

All 3 comments

Well there are different cases to consider here:

  • If a user with no key try to access either of these resources, then the user should get a 403.
  • If a user has a key, but that key is not associated with the correct right to the resource, then a 401 should be returned

I would say the opposite 馃槀

yes sorry, that's what i meant :)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

trevyn picture trevyn  路  4Comments

qdequele picture qdequele  路  4Comments

imor picture imor  路  4Comments

frank-io picture frank-io  路  3Comments

LeoHsiao1 picture LeoHsiao1  路  4Comments