You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
TL;DR:
If a bearer-token request hits an endpoint with route-model-binding but with an incorrect token, the response should be 401 instead of 404. It is 404 though because the model is resolved before the token is checked.
Environment:
Laravel 8
Sanctum
bearer token-authentication for API-requests; There is no SPA involved.
When requesting this route with an incorrect bearer token AND a not existing survey-uuid, it does not return the 401 for unauthenticated but a 404 because it cannot find the requested model.
To me this seems to be a security-issue because without being authenticated a request can prove if an ID exists or not.
What I've tried:
As described here: #6118
the \Illuminate\Routing\Middleware\SubstituteBindings- middleware is responsible for resolving route-model-bindings.
But it is not completely clear if it should run before or after any authentication/authorization actions.
Also, according to the sactum-package-code the \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful-middleware should be responsible for validating the bearer-token.
It also, as far as I understand, sets it to the top of the middleware priority list.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
TL;DR:
If a bearer-token request hits an endpoint with route-model-binding but with an incorrect token, the response should be
401instead of404. It is404though because the model is resolved before the token is checked.Environment:
My problem:
Using for example this api-route:
When requesting this route with an incorrect bearer token AND a not existing survey-uuid, it does not return the
401for unauthenticated but a404because it cannot find the requested model.To me this seems to be a security-issue because without being authenticated a request can prove if an ID exists or not.
What I've tried:
As described here: #6118
the
\Illuminate\Routing\Middleware\SubstituteBindings- middleware is responsible for resolving route-model-bindings.But it is not completely clear if it should run before or after any authentication/authorization actions.
Also, according to the sactum-package-code the
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful-middleware should be responsible for validating the bearer-token.It also, as far as I understand, sets it to the top of the middleware priority list.
According to this I also tired to configure my priority list within
Http/Kernel.phpto ensure this behavior:Unfortunately, it keeps returning a
404instead of401.Checking the token should be done before the model is resolved.
Any ideas?
Thanks for any hint.
Beta Was this translation helpful? Give feedback.
All reactions