From 3509ad3282e7c7ca8bbd94ac26f7da073ded03a7 Mon Sep 17 00:00:00 2001 From: Sander Ginn Date: Fri, 24 Mar 2023 16:48:57 +0100 Subject: [PATCH] executors: return status `401` instead of `403` when general access token is incorrect (#49967) Status 403 implies a valid access token but lacking permissions to access the resource. When the submitted token doesn't match the configured token it's invalid and should return a status 401 instead. ## Test plan Tests pass --- enterprise/cmd/frontend/internal/executorqueue/queuehandler.go | 2 +- .../cmd/frontend/internal/executorqueue/queuehandler_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/enterprise/cmd/frontend/internal/executorqueue/queuehandler.go b/enterprise/cmd/frontend/internal/executorqueue/queuehandler.go index a05c62cafad..bbe3d9f9a40 100644 --- a/enterprise/cmd/frontend/internal/executorqueue/queuehandler.go +++ b/enterprise/cmd/frontend/internal/executorqueue/queuehandler.go @@ -181,7 +181,7 @@ func validateExecutorToken(w http.ResponseWriter, r *http.Request, logger log.Lo // code via timing attack. It is not important to avoid leaking the *length* of // the code, because the length of verification codes is constant. if subtle.ConstantTimeCompare([]byte(token), []byte(expectedAccessToken)) == 0 { - w.WriteHeader(http.StatusForbidden) + w.WriteHeader(http.StatusUnauthorized) return false } diff --git a/enterprise/cmd/frontend/internal/executorqueue/queuehandler_test.go b/enterprise/cmd/frontend/internal/executorqueue/queuehandler_test.go index 7ab60ab6d9e..1867d7914d5 100644 --- a/enterprise/cmd/frontend/internal/executorqueue/queuehandler_test.go +++ b/enterprise/cmd/frontend/internal/executorqueue/queuehandler_test.go @@ -50,7 +50,7 @@ func TestAuthMiddleware(t *testing.T) { { name: "Wrong token", headers: http.Header{"Authorization": {"token-executor foobar"}}, - expectedStatusCode: http.StatusForbidden, + expectedStatusCode: http.StatusUnauthorized, }, { name: "Invalid prefix",