fix: Prism has not enough informations to return a 403 in any case (stoplightio#625)

XVincentX · web-flow · commit 934587ab22bc · 2019-09-17T22:05:27.000+02:00
* fix: 403 is not a thing

* docs: changelog

* docs: changelog

* test: fix
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,36 +10,37 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## Fixed
 
-- Prism is now giving precedence to `application/json` instead of using it as a "fallback" serializer, fixing some conditions where it wouldn't get triggered correctly. #604
-- Prism is now taking in consideration the `required` properties for combined schemas (`oneOf, allOf`). This is coming through an update to the Json Schema Faker Library #623
+- Prism is now giving precedence to `application/json` instead of using it as a "fallback" serializer, fixing some conditions where it wouldn't get triggered correctly. [#604](https://github.com/stoplightio/prism/pulls/604)
+- Prism is now taking in consideration the `required` properties for combined schemas (`oneOf, allOf`). This is coming through an update to the Json Schema Faker Library [#623](https://github.com/stoplightio/prism/pulls/623)
+- Prism will never have enough information to return a `403` status code; all these occurences have been now replaced with a `401` status code which is more appropriate [#625](https://github.com/stoplightio/prism/pulls/625)
 
 # 3.1.0 (2019-09-03)
 
 ## Added
 
-- Prism is now able to validate the security specification of the loaded document #484
+- Prism is now able to validate the security specification of the loaded document [#484](https://github.com/stoplightio/prism/pulls/484)
 
 ## Fixed
 
-- Prism is not crashing anymore when referencing the same model multiple times in the specification document #552
-- Prism will now correctly use the `example` keyword for a Schema Object in OpenAPI 3.0 documents #560
-- Prism won't return 406 when users request a `text/plain` response whose content is a primitive (string, number) #560
-- Prism's router is now able to correctly handle a path ending with a parameter, such as `/test.{format}`, while it would previously not match with anything. #561
-- Prism is correctly handling the `allowEmptyValue` property in OAS2 documents #569
-- Prism is correctly handling the `csv` collection format argument property in OAS2 documents #577
-- Prism is correctly returning the response when the request has `*/*` as Accept header #578
-- Prism is correctly returning a single root node with the payload for XML data #578
+- Prism is not crashing anymore when referencing the same model multiple times in the specification document [#552](https://github.com/stoplightio/prism/pulls/552)
+- Prism will now correctly use the `example` keyword for a Schema Object in OpenAPI 3.0 documents [#560](https://github.com/stoplightio/prism/pulls/560)
+- Prism won't return 406 when users request a `text/plain` response whose content is a primitive (string, number) [#560](https://github.com/stoplightio/prism/pulls/560)
+- Prism's router is now able to correctly handle a path ending with a parameter, such as `/test.{format}`, while it would previously not match with anything. [#561](https://github.com/stoplightio/prism/pulls/561)
+- Prism is correctly handling the `allowEmptyValue` property in OAS2 documents [#569](https://github.com/stoplightio/prism/pulls/569)
+- Prism is correctly handling the `csv` collection format argument property in OAS2 documents [#577](https://github.com/stoplightio/prism/pulls/577)
+- Prism is correctly returning the response when the request has `*/*` as Accept header [#578](https://github.com/stoplightio/prism/pulls/578)
+- Prism is correctly returning a single root node with the payload for XML data [#578](https://github.com/stoplightio/prism/pulls/578)
 
 # 3.0.4 (2019-08-20)
 
 ## Added
 
-- Prism is now returning CORS headers by default and responding to all the preflights requests. You can disable this behaviour by running Prism with the `--cors` flag set to false #525
+- Prism is now returning CORS headers by default and responding to all the preflights requests. You can disable this behaviour by running Prism with the `--cors` flag set to false [#525](https://github.com/stoplightio/prism/pulls/525)
 
 ## Fixed
-- Prism now respects the `nullable` value for OpenAPI 3.x documents when generating examples #506
-- Prism now loads correctly OpenAPI 3.x documents with `encodings` with non specified `style` property #507
-- Prism got rid of some big internal dependencies that now aren't required anymore, making it faster and lighter. #490
+- Prism now respects the `nullable` value for OpenAPI 3.x documents when generating examples [#506](https://github.com/stoplightio/prism/pulls/506)
+- Prism now loads correctly OpenAPI 3.x documents with `encodings` with non specified `style` property [#507](https://github.com/stoplightio/prism/pulls/507)
+- Prism got rid of some big internal dependencies that now aren't required anymore, making it faster and lighter. [#490](https://github.com/stoplightio/prism/pulls/490)
 - Prism now correctly validates OAS2 `application/x-www-urlencoded` (form data) params (#483)
 
 # 3.0.3 (2019-07-25)
diff --git a/docs/guides/errors.md b/docs/guides/errors.md
@@ -172,13 +172,6 @@ This class of errors is returned when the current request is not satisfying the
 
 ---
 
-### FORBIDDEN
-**Message: Invalid credentials used**
-**Returned Status Code: `403`**
-**Explanation:** This error occurs when the current request is using the correct security scheme, but its content was invalid. This might be an error in the decoding process (such as a not valid base64 payload)
-
----
-
 ## Negotiation errors
 
 This class of errors is returned when anything goes wrong in between your **valid** request and returning a suitable response
diff --git a/packages/core/src/utils/__tests__/security.spec.ts b/packages/core/src/utils/__tests__/security.spec.ts
@@ -28,8 +28,8 @@ describe('validateSecurity', () => {
     it('fails with an invalid credentials error', () => {
       assertSome(validateSecurity({ headers: { authorization: 'Basic abc123' } }, { security: securityScheme }), res =>
         expect(res).toStrictEqual({
-          code: 403,
-          message: 'Invalid credentials used',
+          code: 401,
+          message: 'Invalid security scheme used',
           severity: DiagnosticSeverity.Error,
         }),
       );
@@ -64,8 +64,8 @@ describe('validateSecurity', () => {
         validateSecurity({ headers: { authorization: 'Digest username=""' } }, { security: securityScheme }),
         res =>
           expect(res).toStrictEqual({
-            code: 403,
-            message: 'Invalid credentials used',
+            code: 401,
+            message: 'Invalid security scheme used',
             severity: DiagnosticSeverity.Error,
           }),
       );
diff --git a/packages/core/src/utils/security/handlers/utils.ts b/packages/core/src/utils/security/handlers/utils.ts
@@ -3,8 +3,8 @@ import { Either, left, right } from 'fp-ts/lib/Either';
 import { IPrismDiagnostic } from '../../../types';
 
 const forbiddenErr: IPrismDiagnostic = {
-  code: 403,
-  message: 'Invalid credentials used',
+  code: 401,
+  message: 'Invalid security scheme used',
   severity: DiagnosticSeverity.Error,
 };
 
diff --git a/packages/http/src/mocker/HttpMocker.ts b/packages/http/src/mocker/HttpMocker.ts
@@ -18,7 +18,7 @@ import {
   ProblemJsonError,
 } from '../types';
 import withLogger from '../withLogger';
-import { FORBIDDEN, UNAUTHORIZED, UNPROCESSABLE_ENTITY } from './errors';
+import { UNAUTHORIZED, UNPROCESSABLE_ENTITY } from './errors';
 import { generate, generateStatic } from './generator/JSONSchema';
 import helpers from './negotiator/NegotiatorHelpers';
 import { IHttpNegotiationResult } from './negotiator/types';
@@ -61,11 +61,11 @@ function handleInputValidation(input: IPrismInput<IHttpRequest>, resource: IHttp
       pipe(
         helpers.negotiateOptionsForInvalidRequest(resource.responses),
         mapLeft(() => {
-          const securityValidation = input.validations.input.find(i => i.code === 401 || i.code === 403);
+          const securityValidation = input.validations.input.find(valiation => valiation.code === 401);
 
           return securityValidation
             ? ProblemJsonError.fromTemplate(
-                securityValidation.code === 401 ? UNAUTHORIZED : FORBIDDEN,
+                UNAUTHORIZED,
                 '',
                 securityValidation.tags && securityValidation.tags.length
                   ? {
diff --git a/packages/http/src/mocker/errors.ts b/packages/http/src/mocker/errors.ts
@@ -23,9 +23,3 @@ export const UNAUTHORIZED: Omit<ProblemJson, 'detail'> = {
   title: 'Invalid security scheme used',
   status: 401,
 };
-
-export const FORBIDDEN: Omit<ProblemJson, 'detail'> = {
-  type: 'FORBIDDEN',
-  title: 'Invalid credentials used',
-  status: 403,
-};
diff --git a/test-harness/specs/security-scheme-validation-AC-5.oas2.txt b/test-harness/specs/security-scheme-validation-AC-5.oas2.txt
@@ -26,6 +26,6 @@ mock -p 4010
 ====command====
 curl -i http://localhost:4010/todos -H "Authorization: Basic abc123"
 ====expect====
-HTTP/1.1 403 Forbidden
+HTTP/1.1 401 Unauthorized
 
-{"type":"https://stoplight.io/prism/errors#FORBIDDEN","title":"Invalid credentials used","status":403,"detail":""}
+{"type":"https://stoplight.io/prism/errors#UNAUTHORIZED","title":"Invalid security scheme used","status":401,"detail":""}
diff --git a/test-harness/specs/security-scheme-validation-AC-5.oas3.txt b/test-harness/specs/security-scheme-validation-AC-5.oas3.txt
@@ -29,6 +29,6 @@ mock -p 4010
 ====command====
 curl -i http://localhost:4010/todos -H "Authorization: Basic abc123"
 ====expect====
-HTTP/1.1 403 Forbidden
+HTTP/1.1 401 Unauthorized
 
-{"type":"https://stoplight.io/prism/errors#FORBIDDEN","title":"Invalid credentials used","status":403,"detail":""}
+{"type":"https://stoplight.io/prism/errors#UNAUTHORIZED","title":"Invalid security scheme used","status":401,"detail":""}
diff --git a/test-harness/specs/security-scheme-validation-AC-6.oas2.txt b/test-harness/specs/security-scheme-validation-AC-6.oas2.txt
@@ -30,6 +30,6 @@ mock -p 4010
 ====command====
 curl -i http://localhost:4010/todos -H "Authorization: Basic abc123"
 ====expect====
-HTTP/1.1 403 Forbidden
+HTTP/1.1 401 Unauthorized
 
-{"type":"https://stoplight.io/prism/errors#FORBIDDEN","title":"Invalid credentials used","status":403,"detail":""}
+{"type":"https://stoplight.io/prism/errors#UNAUTHORIZED","title":"Invalid security scheme used","status":401,"detail":""}
diff --git a/test-harness/specs/security-scheme-validation-AC-6.oas3.txt b/test-harness/specs/security-scheme-validation-AC-6.oas3.txt
@@ -31,6 +31,6 @@ mock -p 4010
 ====command====
 curl -i http://localhost:4010/todos -H "Authorization: Basic abc123"
 ====expect====
-HTTP/1.1 403 Forbidden
+HTTP/1.1 401 Unauthorized
 
-{"type":"https://stoplight.io/prism/errors#FORBIDDEN","title":"Invalid credentials used","status":403,"detail":""}
+{"type":"https://stoplight.io/prism/errors#UNAUTHORIZED","title":"Invalid security scheme used","status":401,"detail":""}
