fix(plugins): consistent error responses upon Admin API auth failures

changelog/unreleased/kong/enhance_admin_api_auth_error_response.yml

@@ -0,0 +1,3 @@
+message: "Enhance error responses for authentication failures in the Admin API"
+type: bugfix
+scope: Plugin

kong/plugins/key-auth/handler.lua

@@ -30,7 +30,7 @@ local _realm = 'Key realm="' .. _KONG._NAME .. '"'
 
 local ERR_DUPLICATE_API_KEY   = { status = 401, message = "Duplicate API key found" }
 local ERR_NO_API_KEY          = { status = 401, message = "No API key found in request" }
-local ERR_INVALID_AUTH_CRED   = { status = 401, message = "Invalid authentication credentials" }
+local ERR_INVALID_AUTH_CRED   = { status = 401, message = "Unauthorized" }
 local ERR_INVALID_PLUGIN_CONF = { status = 500, message = "Invalid plugin configuration" }
 local ERR_UNEXPECTED          = { status = 500, message = "An unexpected error occurred" }
 

kong/plugins/ldap-auth/access.lua

@@ -263,7 +263,7 @@ local function do_authentication(conf)
   end
 
   if not is_authorized then
-    return false, {status = 401, message = "Invalid authentication credentials" }
+    return false, {status = 401, message = "Unauthorized" }
   end
 
   if conf.hide_credentials then

spec/02-integration/02-cmd/03-reload_spec.lua

@@ -697,7 +697,7 @@ describe("key-auth plugin invalidation on dbless reload #off", function()
       })
       local body = res:read_body()
       proxy_client:close()
-      return body ~= [[{"message":"Invalid authentication credentials"}]]
+      return body ~= [[{"message":"Unauthorized"}]]
     end, 5)
 
     admin_client = assert(helpers.admin_client())

spec/03-plugins/09-key-auth/02-access_spec.lua

@@ -291,7 +291,7 @@ for _, strategy in helpers.each_strategy() do
         local body = assert.res_status(401, res)
         local json = cjson.decode(body)
         assert.not_nil(json)
-        assert.matches("Invalid authentication credentials", json.message)
+        assert.matches("Unauthorized", json.message)
       end)
       it("handles duplicated key in querystring", function()
         local res = assert(proxy_client:send {
@@ -365,7 +365,7 @@ for _, strategy in helpers.each_strategy() do
             local body = assert.res_status(401, res)
             local json = cjson.decode(body)
             assert.not_nil(json)
-            assert.matches("Invalid authentication credentials", json.message)
+            assert.matches("Unauthorized", json.message)
           end)
 
           -- lua-multipart doesn't currently handle duplicates at all.
@@ -461,7 +461,7 @@ for _, strategy in helpers.each_strategy() do
         local body = assert.res_status(401, res)
         local json = cjson.decode(body)
         assert.not_nil(json)
-        assert.matches("Invalid authentication credentials", json.message)
+        assert.matches("Unauthorized", json.message)
       end)
     end)
 
@@ -521,7 +521,7 @@ for _, strategy in helpers.each_strategy() do
         local body = assert.res_status(401, res)
         local json = cjson.decode(body)
         assert.not_nil(json)
-        assert.matches("Invalid authentication credentials", json.message)
+        assert.matches("Unauthorized", json.message)
 
         res = assert(proxy_client:send {
           method  = "GET",
@@ -534,7 +534,7 @@ for _, strategy in helpers.each_strategy() do
         body = assert.res_status(401, res)
         json = cjson.decode(body)
         assert.not_nil(json)
-        assert.matches("Invalid authentication credentials", json.message)
+        assert.matches("Unauthorized", json.message)
       end)
     end)
 

spec/03-plugins/10-basic-auth/03-access_spec.lua

@@ -184,7 +184,7 @@ for _, strategy in helpers.each_strategy() do
         local body = assert.res_status(401, res)
         local json = cjson.decode(body)
         assert.not_nil(json)
-        assert.matches("Invalid authentication credentials", json.message)
+        assert.matches("Unauthorized", json.message)
         assert.equal('Basic realm="test-realm"', res.headers["WWW-Authenticate"])
       end)
 
@@ -200,7 +200,7 @@ for _, strategy in helpers.each_strategy() do
         local body = assert.res_status(401, res)
         local json = cjson.decode(body)
         assert.not_nil(json)
-        assert.matches("Invalid authentication credentials", json.message)
+        assert.matches("Unauthorized", json.message)
         assert.equal('Basic realm="test-realm"', res.headers["WWW-Authenticate"])
       end)
 
@@ -216,7 +216,7 @@ for _, strategy in helpers.each_strategy() do
         local body = assert.res_status(401, res)
         local json = cjson.decode(body)
         assert.not_nil(json)
-        assert.matches("Invalid authentication credentials", json.message)
+        assert.matches("Unauthorized", json.message)
         assert.equal('Basic realm="test-realm"', res.headers["WWW-Authenticate"])
       end)
 
@@ -232,7 +232,7 @@ for _, strategy in helpers.each_strategy() do
         local body = assert.res_status(401, res)
         local json = cjson.decode(body)
         assert.not_nil(json)
-        assert.matches("Invalid authentication credentials", json.message)
+        assert.matches("Unauthorized", json.message)
         assert.equal('Basic realm="test-realm"', res.headers["WWW-Authenticate"])
       end)
 
@@ -308,7 +308,7 @@ for _, strategy in helpers.each_strategy() do
         local body = assert.res_status(401, res)
         local json = cjson.decode(body)
         assert.not_nil(json)
-        assert.matches("Invalid authentication credentials", json.message)
+        assert.matches("Unauthorized", json.message)
         assert.equal('Basic realm="test-realm"', res.headers["WWW-Authenticate"])
       end)
 

spec/03-plugins/10-basic-auth/05-declarative_spec.lua

@@ -179,7 +179,7 @@ for _, strategy in helpers.each_strategy() do
           local body = assert.res_status(401, res)
           local json = cjson.decode(body)
           assert.not_nil(json)
-          assert.matches("Invalid authentication credentials", json.message)
+          assert.matches("Unauthorized", json.message)
         end)
       end)
 

spec/03-plugins/20-ldap-auth/01-access_spec.lua

@@ -237,7 +237,7 @@ for _, ldap_strategy in pairs(ldap_strategies) do
           })
           assert.response(res).has.status(401)
           local json = assert.response(res).has.jsonbody()
-          assert.equal("Invalid authentication credentials", json.message)
+          assert.equal("Unauthorized", json.message)
         end)
         it("returns 'invalid credentials' when credential value is in wrong format in proxy-authorization header", function()
           local res = assert(proxy_client:send {
@@ -250,7 +250,7 @@ for _, ldap_strategy in pairs(ldap_strategies) do
           })
           assert.response(res).has.status(401)
           local json = assert.response(res).has.jsonbody()
-          assert.equal("Invalid authentication credentials", json.message)
+          assert.equal("Unauthorized", json.message)
         end)
         it("returns 'invalid credentials' when credential value is missing in authorization header", function()
           local res = assert(proxy_client:send {
@@ -263,7 +263,7 @@ for _, ldap_strategy in pairs(ldap_strategies) do
           })
           assert.response(res).has.status(401)
           local json = assert.response(res).has.jsonbody()
-          assert.equal("Invalid authentication credentials", json.message)
+          assert.equal("Unauthorized", json.message)
         end)
         it("passes if credential is valid in post request", function()
           local res = assert(proxy_client:send {