macOS ◆ xterm-256color ◆ bash 249 views

only create users when necessary

The original issue’s acceptance criteria suggests that any authentication failures should return 404s, not 403s. However, after more thoroughly experimenting with the API and seeing Django and DRF’s native/default behaviors for handling failed or missing authentication, I don’t believe strictly returning 404 is appropriate.

Our original concern was that by returning 401 or 403 instead of 404 we could leak information about other users and accounts. For example, maybe a malicious user would troll through IDs under /instances/{id}/ to infer what IDs might exist. However, the existence checks come after any required auth checks. So, it’s not possible to get information this way. Other than IDs, there’s nothing we have to hide in our public APIs since they are all publicly defined both in source code and in the openapi.json.

I think another reason we considered returning 404 was that it would be a cheaper implementation; that was a faulty assumption because the implementation is cheap and easy using more “correct” 403 status codes anyhow.