Return 401 Unauthorized when using json/url encoded auth fails

When authentication using JSON payload or URL encoded payload fails, use the generic HTTP response code 401 Unauthorized instead of 400 Bad Request. This is a more appropriate response code for authentication errors and is consistent with the behavior of other authentication methods.
2025-07-19 07:06:30 +00:00 · 2025-04-25 15:37:43 +02:00 · 2025-04-25 15:37:43 +02:00 · 14e2ddc6d3
commit 14e2ddc6d3
parent 0e7e4f8b42
2 changed files with 13 additions and 7 deletions
--- a/supervisor/api/auth.py
+++ b/supervisor/api/auth.py
@ -79,13 +79,18 @@ class APIAuth(CoreSysAttributes):
        # Json
        if request.headers.get(CONTENT_TYPE) == CONTENT_TYPE_JSON:
            data = await request.json(loads=json_loads)
-            return await self._process_dict(request, addon, data)
+            if not await self._process_dict(request, addon, data):
+                raise HTTPUnauthorized()
+            return True

        # URL encoded
        if request.headers.get(CONTENT_TYPE) == CONTENT_TYPE_URL:
            data = await request.post()
-            return await self._process_dict(request, addon, data)
+            if not await self._process_dict(request, addon, data):
+                raise HTTPUnauthorized()
+            return True

+        # Advertise Basic authentication by default
        raise HTTPUnauthorized(headers=REALM_HEADER)

    @api_process
--- a/tests/api/test_auth.py
+++ b/tests/api/test_auth.py
@ -3,6 +3,7 @@
 from datetime import UTC, datetime, timedelta
 from unittest.mock import AsyncMock, patch

+from aiohttp.hdrs import WWW_AUTHENTICATE
 from aiohttp.test_utils import TestClient
 import pytest

@ -137,8 +138,8 @@ async def test_auth_json_invalid_credentials(
    resp = await api_client.post(
        "/auth", json={"username": "test", "password": "wrong"}
    )
-    # Do we really want the API to return 400 here?
-    assert resp.status == 400
+    assert WWW_AUTHENTICATE not in resp.headers
+    assert resp.status == 401


@pytest.mark.parametrize("api_client", [TEST_ADDON_SLUG], indirect=True)
@ -184,8 +185,8 @@ async def test_auth_urlencoded_failure(
        data="username=test&password=fail",
        headers={"Content-Type": "application/x-www-form-urlencoded"},
    )
-    # Do we really want the API to return 400 here?
-    assert resp.status == 400
+    assert WWW_AUTHENTICATE not in resp.headers
+    assert resp.status == 401


@pytest.mark.parametrize("api_client", [TEST_ADDON_SLUG], indirect=True)
@ -196,7 +197,7 @@ async def test_auth_unsupported_content_type(
    resp = await api_client.post(
        "/auth", data="something", headers={"Content-Type": "text/plain"}
    )
-    # This probably should be 400 here for better consistency
+    assert "Basic realm" in resp.headers[WWW_AUTHENTICATE]
    assert resp.status == 401