Avoid using HTTP 500 for unauthenticated requests #148

New Issue

Closed

opened 2025-06-03 21:39:37 +00:00 by ic3w0lf22 · 1 comment

ic3w0lf22 commented 2025-06-03 21:39:37 +00:00

Member

Copy Link

Description:

Currently, the backend is returning HTTP 500 Internal Server Error when a user is not authenticated. This status code should only be used when an actual server-side error occurs (e.g., unhandled exceptions, database failures, etc.).

Expected Behavior:

• When a user is not authenticated, the server should return:
  • 401 Unauthorized — if authentication credentials are missing or invalid.
  • 403 Forbidden — if the user is authenticated but not authorized to access a resource.

Why this matters:

• HTTP 500 indicates a bug or failure within the backend itself.
• Using it incorrectly:
  • Makes debugging harder.
  • Misleads frontend developers and monitoring tools.
  • Obscures actual errors when they occur.

Acceptance Criteria:

• All routes that check for authentication return 401 or 403 appropriately.
• 500 is only returned for unexpected, unhandled errors in backend logic.

**Description:** Currently, the backend is returning **HTTP 500 Internal Server Error** when a user is not authenticated. This status code should **only be used when an actual server-side error occurs** (e.g., unhandled exceptions, database failures, etc.). **Expected Behavior:** - When a user is **not authenticated**, the server should return: - **401 Unauthorized** — if authentication credentials are missing or invalid. - **403 Forbidden** — if the user is authenticated but not authorized to access a resource. **Why this matters:** - HTTP 500 indicates a bug or failure within the backend itself. - Using it incorrectly: - Makes debugging harder. - Misleads frontend developers and monitoring tools. - Obscures actual errors when they occur. **Acceptance Criteria:** - [ ] All routes that check for authentication return `401` or `403` appropriately. - [ ] `500` is only returned for unexpected, unhandled errors in backend logic.

Quaternions was assigned by ic3w0lf22 2025-06-03 21:39:49 +00:00

Quaternions added the backend label 2025-06-05 01:45:13 +00:00

itzaname commented 2025-06-08 06:20:37 +00:00

Owner

Copy Link

Seeing “Acceptance Criteria” gave me Jira PTSD

Seeing “Acceptance Criteria” gave me Jira PTSD

itzaname added reference master 2025-06-08 21:14:44 +00:00

Quaternions referenced a pull request that will close this issue 2026-01-07 20:30:08 +00:00

Categorize Errors to avoid HTTP 500 #326

Quaternions closed this issue 2026-03-03 17:51:58 +00:00

Quaternions referenced this issue from a commit 2026-03-03 17:52:00 +00:00

Categorize Errors to avoid HTTP 500 (#326)

Sign in to join this conversation.

master

Branches Tags

Clear current reference

staging

master

displayname

new-roles

feature/map-combobulator

mapfix-checks

50-chars

feature/aor-pipeline

rm-alloc

compose-dev-service

int

ic3-features-clean

feature-script-review

thumbnail-cache-batch

constraints

review-status-colours

cli

hide-reset

uint

restricted

submitter-owns-model

frontend/maps

validator-refactor

debug-auth

web/submit-form

releaser

web-docker

tidy

Clear current reference

No results found.

Labels

Clear labels

backend

Submissions api related

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

frontend

Website related

help wanted

Need some help

invalid

Something is wrong

question

More information is needed

validator

Map validation related

wontfix

This won't be fixed

No Label backend

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

aidan9382 CI dowoge fiveman1 ic3w0lf22 interpreterK itzaname Quaternions

No Assignees Quaternions

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: StrafesNET/maps-service#148