fix(auth)!: correct HTTP status codes for authentication and authorization failures (#108)

alukach · web-flow · commit 17227e447c18 · 2025-12-08T10:30:54.000-08:00
BREAKING CHANGE: Authentication failures now return 401 instead of 403

Changes the EnforceAuthMiddleware to follow HTTP RFC 7235 semantics:
- Unauthenticated requests (no/invalid token) now return 401
Unauthorized instead of 403 Forbidden
- Authorization failures (valid token, insufficient scopes) now return
403 Forbidden instead of 401 Unauthorized

This is a breaking change for clients that expect 403 for
unauthenticated requests. The correct behavior is:
- 401: "Who are you?" - Authentication required/failed
- 403: "I know who you are, but you lack permission" - Authorization
failed

Additional improvements:
- Remove sensitive token data from error logs (security fix)
- Handle missing JWT scope claim gracefully (prevent KeyError)
- Improve error messages for better debugging
- Add detailed logging for authorization failures
diff --git a/docs/user-guide/route-level-auth.md b/docs/user-guide/route-level-auth.md
@@ -107,7 +107,7 @@ PRIVATE_ENDPOINTS='{
 - Users must be authenticated AND have the required scope(s)
 - Different HTTP methods can require different scopes
 - Scopes are checked against the user's JWT scope claim
-- Unauthorized requests receive a 403 Forbidden response
+- Unauthorized requests receive a 401 Unauthorized response
 
 > [!TIP]
 >
diff --git a/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py b/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py
@@ -127,18 +127,19 @@ def validate_token(
         if not auth_header:
             if auto_error:
                 raise HTTPException(
-                    status_code=status.HTTP_403_FORBIDDEN,
+                    status_code=status.HTTP_401_UNAUTHORIZED,
                     detail="Not authenticated",
+                    headers={"WWW-Authenticate": "Bearer"},
                 )
             return None
 
         # Extract token from header
         token_parts = auth_header.split(" ")
         if len(token_parts) != 2 or token_parts[0].lower() != "bearer":
-            logger.error("Invalid token: %r", auth_header)
+            logger.error("Invalid Authorization header format")
             raise HTTPException(
                 status_code=status.HTTP_401_UNAUTHORIZED,
-                detail="Could not validate credentials",
+                detail="Invalid Authorization header format",
                 headers={"WWW-Authenticate": "Bearer"},
             )
         [_, token] = token_parts
@@ -154,32 +155,43 @@ def validate_token(
                 audience=self.allowed_jwt_audiences,
             )
         except jwt.InvalidAudienceError as e:
-            logger.error("InvalidAudienceError: %r", e)
+            logger.error("Token audience validation failed: %s", str(e))
             raise HTTPException(
                 status_code=status.HTTP_401_UNAUTHORIZED,
-                detail="Could not validate Audience",
+                detail="Invalid token audience",
                 headers={"WWW-Authenticate": "Bearer"},
             )
         except (
             jwt.exceptions.InvalidTokenError,
             jwt.exceptions.DecodeError,
             jwt.exceptions.PyJWKClientError,
         ) as e:
-            logger.error("InvalidTokenError: %r", e)
+            logger.error("Token validation failed: %s", type(e).__name__)
             raise HTTPException(
                 status_code=status.HTTP_401_UNAUTHORIZED,
-                detail="Could not validate credentials",
+                detail="Invalid or expired token",
                 headers={"WWW-Authenticate": "Bearer"},
             ) from e
 
+        # Check authorization (scopes)
         if required_scopes:
-            for scope in required_scopes:
-                if scope not in payload["scope"].split(" "):
-                    raise HTTPException(
-                        status_code=status.HTTP_401_UNAUTHORIZED,
-                        detail="Not enough permissions",
-                        headers={"WWW-Authenticate": f'Bearer scope="{scope}"'},
-                    )
+            token_scopes = set(payload.get("scope", "").split())
+            missing_scopes = set(required_scopes) - token_scopes
+            if missing_scopes:
+                logger.warning(
+                    "Insufficient scopes for user %s. Required: %s, Has: %s",
+                    payload.get("sub"),
+                    required_scopes,
+                    token_scopes,
+                )
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail=f"Insufficient permissions. Required scopes: {', '.join(missing_scopes)}",
+                    headers={
+                        "WWW-Authenticate": f'Bearer scope="{" ".join(required_scopes)}"'
+                    },
+                )
+
         return payload
 
     @property
diff --git a/tests/test_authn.py b/tests/test_authn.py
@@ -36,13 +36,13 @@
     ],
 )
 def test_default_public_false(source_api_server, path, method, token_builder):
-    """Private endpoints permit access with a valid token."""
+    """Private endpoints require authentication and return 401 when not authenticated."""
     test_app = app_factory(upstream_url=source_api_server)
     valid_auth_token = token_builder({})
 
     client = TestClient(test_app)
     response = client.request(method=method, url=path, headers={})
-    assert response.status_code == 403
+    assert response.status_code == 401  # Not authenticated -> 401
 
     response = client.request(
         method=method, url=path, headers={"Authorization": f"Bearer {valid_auth_token}"}
@@ -88,7 +88,7 @@ def test_default_public_false(source_api_server, path, method, token_builder):
 def test_default_public_false_with_scopes(
     source_api_server, rules, token, permitted, token_builder
 ):
-    """Private endpoints permit access with a valid token."""
+    """Private endpoints permit access with valid token AND required scopes."""
     test_app = app_factory(
         upstream_url=source_api_server,
         default_public=False,
@@ -102,7 +102,8 @@ def test_default_public_false_with_scopes(
         url="/collections",
         headers={"Authorization": f"Bearer {valid_auth_token}"},
     )
-    assert response.status_code == (200 if permitted else 401)
+    # Authenticated but lacking scopes -> 403, not 401
+    assert response.status_code == (200 if permitted else 403)
 
 
 @pytest.mark.parametrize(
@@ -151,7 +152,7 @@ def test_scopes(
     method,
     expected_permitted,
 ):
-    """Private endpoints permit access with a valid token."""
+    """Private endpoints require valid token AND required scopes."""
     test_app = app_factory(
         upstream_url=source_api_server,
         default_public=True,
@@ -165,7 +166,8 @@ def test_scopes(
         url=path,
         headers={"Authorization": f"Bearer {valid_auth_token}"},
     )
-    expected_status_code = 200 if expected_permitted else 401
+    # User is authenticated, so insufficient scopes -> 403, not 401
+    expected_status_code = 200 if expected_permitted else 403
     assert response.status_code == expected_status_code
 
 
@@ -201,10 +203,10 @@ def test_options_bypass_auth(
 @pytest.mark.parametrize(
     "path,method,default_public,private_endpoints,expected_status",
     [
-        # Test that non-OPTIONS requests still require auth when endpoints are private
-        ("/collections", "GET", False, {}, 403),
-        ("/collections", "POST", False, {}, 403),
-        ("/search", "GET", False, {}, 403),
+        # Test that non-OPTIONS requests return 401 when not authenticated
+        ("/collections", "GET", False, {}, 401),
+        ("/collections", "POST", False, {}, 401),
+        ("/search", "GET", False, {}, 401),
         # Test that OPTIONS requests bypass auth even when endpoints are private
         ("/collections", "OPTIONS", False, {}, 200),
         ("/search", "OPTIONS", False, {}, 200),
@@ -214,7 +216,7 @@ def test_options_bypass_auth(
             "POST",
             True,
             {r"^/collections$": [("POST", "collection:create")]},
-            403,
+            401,
         ),
         (
             "/collections",
@@ -300,7 +302,7 @@ def test_options_vs_other_methods_with_valid_auth(
         ),
         ("InvalidFormat", 401),
         ("Bearer", 401),
-        ("", 403),  # No auth header returns 403, not 401
+        ("", 401),  # No auth header returns 401 (not authenticated)
     ],
 )
 def test_with_invalid_tokens_fails(invalid_token, expected_status, source_api_server):
@@ -401,9 +403,19 @@ def test_jwt_audience_validation(
 @pytest.mark.parametrize(
     "aud_value,scope,expected_status,description",
     [
-        (["stac-api"], "openid", 401, "Valid audience but missing scope"),
+        (
+            ["stac-api"],
+            "openid",
+            403,
+            "Valid audience but missing scope (authenticated but not authorized)",
+        ),
         (["stac-api"], "collection:create", 200, "Valid audience and valid scope"),
-        (["wrong-api"], "collection:create", 401, "Invalid audience but valid scope"),
+        (
+            ["wrong-api"],
+            "collection:create",
+            401,
+            "Invalid audience but valid scope (authentication failed)",
+        ),
     ],
 )
 def test_audience_validation_with_scopes(
diff --git a/tests/test_defaults.py b/tests/test_defaults.py
@@ -18,16 +18,16 @@
         ("/search", "GET", 200),
         ("/search", "POST", 200),
         ("/collections", "GET", 200),
-        ("/collections", "POST", 403),
+        ("/collections", "POST", 401),
         ("/collections/example-collection", "GET", 200),
-        ("/collections/example-collection", "PUT", 403),
-        ("/collections/example-collection", "DELETE", 403),
+        ("/collections/example-collection", "PUT", 401),
+        ("/collections/example-collection", "DELETE", 401),
         ("/collections/example-collection/items", "GET", 200),
-        ("/collections/example-collection/items", "POST", 403),
+        ("/collections/example-collection/items", "POST", 401),
         ("/collections/example-collection/items/example-item", "GET", 200),
-        ("/collections/example-collection/items/example-item", "PUT", 403),
-        ("/collections/example-collection/items/example-item", "DELETE", 403),
-        ("/collections/example-collection/bulk_items", "POST", 403),
+        ("/collections/example-collection/items/example-item", "PUT", 401),
+        ("/collections/example-collection/items/example-item", "DELETE", 401),
+        ("/collections/example-collection/bulk_items", "POST", 401),
         ("/api.html", "GET", 200),
         ("/api", "GET", 200),
     ],
@@ -57,22 +57,22 @@ def test_default_public_true(source_api_server, path, method, expected_status):
 @pytest.mark.parametrize(
     "path,method,expected_status",
     [
-        ("/", "GET", 403),
-        ("/conformance", "GET", 403),
-        ("/queryables", "GET", 403),
-        ("/search", "GET", 403),
-        ("/search", "POST", 403),
-        ("/collections", "GET", 403),
-        ("/collections", "POST", 403),
-        ("/collections/example-collection", "GET", 403),
-        ("/collections/example-collection", "PUT", 403),
-        ("/collections/example-collection", "DELETE", 403),
-        ("/collections/example-collection/items", "GET", 403),
-        ("/collections/example-collection/items", "POST", 403),
-        ("/collections/example-collection/items/example-item", "GET", 403),
-        ("/collections/example-collection/items/example-item", "PUT", 403),
-        ("/collections/example-collection/items/example-item", "DELETE", 403),
-        ("/collections/example-collection/bulk_items", "POST", 403),
+        ("/", "GET", 401),
+        ("/conformance", "GET", 401),
+        ("/queryables", "GET", 401),
+        ("/search", "GET", 401),
+        ("/search", "POST", 401),
+        ("/collections", "GET", 401),
+        ("/collections", "POST", 401),
+        ("/collections/example-collection", "GET", 401),
+        ("/collections/example-collection", "PUT", 401),
+        ("/collections/example-collection", "DELETE", 401),
+        ("/collections/example-collection/items", "GET", 401),
+        ("/collections/example-collection/items", "POST", 401),
+        ("/collections/example-collection/items/example-item", "GET", 401),
+        ("/collections/example-collection/items/example-item", "PUT", 401),
+        ("/collections/example-collection/items/example-item", "DELETE", 401),
+        ("/collections/example-collection/bulk_items", "POST", 401),
         ("/api.html", "GET", 200),
         ("/api", "GET", 200),
     ],

Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,7 @@ PRIVATE_ENDPOINTS='{`
`107`	`107`	`- Users must be authenticated AND have the required scope(s)`
`108`	`108`	`- Different HTTP methods can require different scopes`
`109`	`109`	`- Scopes are checked against the user's JWT scope claim`
`110`		`-- Unauthorized requests receive a 403 Forbidden response`
	`110`	`+- Unauthorized requests receive a 401 Unauthorized response`
`111`	`111`
`112`	`112`	`> [!TIP]`
`113`	`113`	`>`