Return correct status codes for authentication and authorization errors

- Use AuthenticatonException to return 401 - Use SecurityException to return 403 - Update existing throws to throw the correct exception for the circumstance
2025-05-24 02:02:29 -04:00 · 2020-04-13 13:17:46 -04:00 · 2020-04-13 13:17:46 -04:00 · 53380689ad
commit 53380689ad
parent 6d35dd6b32
4 changed files with 13 additions and 12 deletions
--- a/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs
+++ b/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs
@ -14,6 +14,7 @@ using Emby.Server.Implementations.Services;
 using MediaBrowser.Common.Extensions;
 using MediaBrowser.Common.Net;
 using MediaBrowser.Controller;
+using MediaBrowser.Controller.Authentication;
 using MediaBrowser.Controller.Configuration;
 using MediaBrowser.Controller.Net;
 using MediaBrowser.Model.Events;
@ -230,7 +231,8 @@ namespace Emby.Server.Implementations.HttpServer
            switch (ex)
            {
                case ArgumentException _: return 400;
-                case SecurityException _: return 401;
+                case AuthenticationException _: return 401;
+                case SecurityException _: return 403;
                case DirectoryNotFoundException _:
                case FileNotFoundException _:
                case ResourceNotFoundException _: return 404;
@ -550,6 +552,7 @@ namespace Emby.Server.Implementations.HttpServer
                    || ex is IOException
                    || ex is OperationCanceledException
                    || ex is SecurityException
+                    || ex is AuthenticationException
                    || ex is FileNotFoundException;
                await ErrorHandler(ex, httpReq, !ignoreStackTrace, urlToLog).ConfigureAwait(false);
            }
--- a/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
@ -2,6 +2,7 @@

 using System;
 using System.Linq;
+using System.Security.Authentication;
 using Emby.Server.Implementations.SocketSharp;
 using MediaBrowser.Common.Net;
 using MediaBrowser.Controller.Configuration;
@ -68,7 +69,7 @@ namespace Emby.Server.Implementations.HttpServer.Security

            if (user == null && auth.UserId != Guid.Empty)
            {
-                throw new SecurityException("User with Id " + auth.UserId + " not found");
+                throw new AuthenticationException("User with Id " + auth.UserId + " not found");
            }

            if (user != null)
@ -212,14 +213,14 @@ namespace Emby.Server.Implementations.HttpServer.Security
        {
            if (string.IsNullOrEmpty(token))
            {
-                throw new SecurityException("Access token is required.");
+                throw new AuthenticationException("Access token is required.");
            }

            var info = GetTokenInfo(request);

            if (info == null)
            {
-                throw new SecurityException("Access token is invalid or expired.");
+                throw new AuthenticationException("Access token is invalid or expired.");
            }

            //if (!string.IsNullOrEmpty(info.UserId))
--- a/Emby.Server.Implementations/Library/UserManager.cs
+++ b/Emby.Server.Implementations/Library/UserManager.cs
@ -20,6 +20,7 @@ using MediaBrowser.Controller.Drawing;
 using MediaBrowser.Controller.Dto;
 using MediaBrowser.Controller.Entities;
 using MediaBrowser.Controller.Library;
+using MediaBrowser.Controller.Net;
 using MediaBrowser.Controller.Persistence;
 using MediaBrowser.Controller.Plugins;
 using MediaBrowser.Controller.Providers;
@ -324,21 +325,17 @@ namespace Emby.Server.Implementations.Library

            if (user.Policy.IsDisabled)
            {
-                throw new AuthenticationException(
-                    string.Format(
-                        CultureInfo.InvariantCulture,
-                        "The {0} account is currently disabled. Please consult with your administrator.",
-                        user.Name));
+                throw new SecurityException($"The {user.Name} account is currently disabled. Please consult with your administrator.");
            }

            if (!user.Policy.EnableRemoteAccess && !_networkManager.IsInLocalNetwork(remoteEndPoint))
            {
-                throw new AuthenticationException("Forbidden.");
+                throw new SecurityException("Forbidden.");
            }

            if (!user.IsParentalScheduleAllowed())
            {
-                throw new AuthenticationException("User is not allowed access at this time.");
+                throw new SecurityException("User is not allowed access at this time.");
            }

            // Update LastActivityDate and LastLoginDate, then save
--- a/Emby.Server.Implementations/Session/SessionManager.cs
+++ b/Emby.Server.Implementations/Session/SessionManager.cs
@ -1414,7 +1414,7 @@ namespace Emby.Server.Implementations.Session
            if (user == null)
            {
                AuthenticationFailed?.Invoke(this, new GenericEventArgs<AuthenticationRequest>(request));
-                throw new SecurityException("Invalid username or password entered.");
+                throw new AuthenticationException("Invalid username or password entered.");
            }

            if (!string.IsNullOrEmpty(request.DeviceId)