Remove bearer authentication errors, re-set unauthorized responses

[roshii]

See #1552

[kristapsk]

utACK ef29982

[kristapsk]

@theborakompanioni Looks ok to you?

[theborakompanioni]

@theborakompanioni Looks ok to you?

Hmmm.. I am not sure.. shouldn't all endpoints with

  security:
    - bearerAuth: []

potentially answer with a 401 response? @roshii

  '401':
    $ref: '#/components/responses/401-Unauthorized'

[roshii]

@theborakompanioni Looks ok to you?

Hmmm.. I am not sure.. shouldn't all endpoints with

  security:
    - bearerAuth: []

potentially answer with a 401 response? @roshii

  '401':
    $ref: '#/components/responses/401-Unauthorized'

See #1552 (comment)

After a few reads and as far as I understand, 401-AuthenticationError does not need to be defined in wallet RPC API since it is an implication of bearer token authentication, defined by the security scheme object. Its error codes are in turn defined by https://datatracker.ietf.org/doc/html/rfc6750#section-3.1.

Bottom line, 401-AuthenticationError response definition should be removed, along with 403-Forbidden

[theborakompanioni]

See #1552 (comment)

After a few reads and as far as I understand, 401-AuthenticationError does not need to be defined in wallet RPC API since it is an implication of bearer token authentication, defined by the security scheme object. Its error codes are in turn defined by https://datatracker.ietf.org/doc/html/rfc6750#section-3.1.
Bottom line, 401-AuthenticationError response definition should be removed, along with 403-Forbidden

Okay, thanks for the clarification. However, what use is 401-Unauthorized then, what does it effectively signal and when is it returned?

To be more specific, e.g. why does /wallet/{walletname}/taker/stop include 401 but /wallet/{walletname}/configset does not?

[roshii]

Okay, thanks for the clarification. However, what use is 401-Unauthorized then, what does it effectively signal and when is it returned?

401-Unauthorized will be issued for errors such as providing an invalid wallet password, starting/stopping a started/stopped service or unlocking an unlocked wallet, in other words: any other authorization error than API authentication/authorization related.

To be more specific, e.g. why does /wallet/{walletname}/taker/stop include 401 but /wallet/{walletname}/configset does not?

In this example:

• /wallet/{walletname}/taker/stop will return a 401 if service is already stopped
• /wallet/{walletname}/configset has not authorization logic per se, if you have a valid JWT it will never return a 401.

[theborakompanioni]

401-Unauthorized will be issued for errors such as providing an invalid wallet password, starting/stopping a started/stopped service or unlocking an unlocked wallet, in other words: any other authorization error than API authentication/authorization related.

Ok, thanks for taking the time to explain it. 🙏
utACK!