From 5a5efa5e027cf7a83a19c01e91bf853678aacbb7 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Thu, 11 Mar 2021 18:36:58 +1100 Subject: [PATCH] fix(server): send 404 on missing api endpoints instead of 405 (#1806) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Returns a 404 instead of 405 on bad API endpoints. The original issue was resolved in 3487fd392e770c3e4c7af9aa5ef8e3e25b9a73eb however this resolves another issue that's related. Additionally this ensures the behavior is tested. Co-authored-by: Clément Michaud Fixes #1520 Closes #1534 --- internal/server/server.go | 2 +- internal/suites/scenario_backend_protection_test.go | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/internal/server/server.go b/internal/server/server.go index ea0f51bf..60aff102 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -53,7 +53,7 @@ func StartServer(configuration schema.Configuration, providers middlewares.Provi } r.GET("/static/{filepath:*}", embeddedFS) - r.GET("/api/{filepath:*}", embeddedFS) + r.ANY("/api/{filepath:*}", embeddedFS) r.GET("/api/health", autheliaMiddleware(handlers.HealthGet)) r.GET("/api/state", autheliaMiddleware(handlers.StateGet)) diff --git a/internal/suites/scenario_backend_protection_test.go b/internal/suites/scenario_backend_protection_test.go index c4b500a2..2b2d8e39 100644 --- a/internal/suites/scenario_backend_protection_test.go +++ b/internal/suites/scenario_backend_protection_test.go @@ -35,7 +35,7 @@ func (s *BackendProtectionScenario) AssertRequestStatusCode(method, url string, } res, err := client.Do(req) s.Assert().NoError(err) - s.Assert().Equal(res.StatusCode, expectedStatusCode) + s.Assert().Equal(expectedStatusCode, res.StatusCode) }) } @@ -55,6 +55,16 @@ func (s *BackendProtectionScenario) TestProtectionOfBackendEndpoints() { s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/totp/identity/finish", AutheliaBaseURL), 403) } +func (s *BackendProtectionScenario) TestInvalidEndpointsReturn404() { + s.AssertRequestStatusCode("GET", fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), 404) + s.AssertRequestStatusCode("HEAD", fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), 404) + s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), 404) + + s.AssertRequestStatusCode("GET", fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), 404) + s.AssertRequestStatusCode("HEAD", fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), 404) + s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), 404) +} + func TestRunBackendProtection(t *testing.T) { suite.Run(t, NewBackendProtectionScenario()) }