[Bug] When API call returns failure, actual response depends on authentication methods

[nikoIkonen]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Debian
OS version (client)	Stretch
Virtualized Env.	True
Dedicated RAM	6 GB
vCPU	4
TheHive version / git hash	4.1.4-1
Package Type	DEB,
Database	Cassandra
Index type	Lucene
Attachments storage	Local
Browser type & version	not applicable

Problem Description

When calling API endpoint /api/v1/user//key as admin when userID does NOT have key created, will return error code 401 or 403 and not expected 404. (I've created another issue for that 2069 )

If there is only one authentication method available, for example key and we call API with key authentication the API returns 401. If we have multiple authentication methods it will return 403.

Steps to Reproduce

1. Create a new user to organization, don't create a API key.
2. Call API to get KEY, curl -k -H 'Authorization: Bearer <adminApiKey>' https://localhost/api/v1/user/<userID>/key
3. Get HTTP 403
4. Change application.conf by removing all other authentication methods except key. Restart thehive.
5. Call API curl -k -H 'Authorization: Bearer <adminApiKey>' https://localhost/api/v1/user/<userID>/key
6. get HTTP 401

Complementary information

Excerpt from the application.log with multiple authentication methods:
2021-06-08 16:20:19,452 [WARN] from org.thp.thehive.services.TOTPAuthSrv in application-akka.actor.default-dispatcher-12 [00000005|] session fails: org.thp.scalligraph.AuthorizationError: Operation not supported
2021-06-08 16:20:19,452 [WARN] from org.thp.thehive.services.TOTPAuthSrv in application-akka.actor.default-dispatcher-12 [00000005|] basic fails: org.thp.scalligraph.AuthorizationError: Operation not supported
2021-06-08 16:20:19,452 [WARN] from org.thp.thehive.services.TOTPAuthSrv in application-akka.actor.default-dispatcher-12 [00000005|] local fails: org.thp.scalligraph.AuthorizationError: Operation not supported
2021-06-08 16:20:19,452 [WARN] from org.thp.thehive.services.TOTPAuthSrv in application-akka.actor.default-dispatcher-12 [00000005|] key fails: org.thp.scalligraph.NotFoundError: User userID hasn't key
2021-06-08 16:20:19,452 [WARN] from org.thp.scalligraph.ErrorHandler in application-akka.actor.default-dispatcher-12 [00000005|] GET /api/v1/user/~16432/key returned 403

Excerpt from the application.log with only key authentication method:
2021-06-08 16:22:47,248 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-16 [00000004|] 127.0.0.1 GET /api/v1/user/~16432/key took 143ms and returned 401 65 bytes
2021-06-08 16:22:52,661 [WARN] from org.thp.thehive.services.TOTPAuthSrv in application-akka.actor.default-dispatcher-16 [00000005|] key fails: org.thp.scalligraph.NotFoundError: User userID hasn't key
2021-06-08 16:22:52,663 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-14 [00000005|] 127.0.0.1 GET /api/v1/user/~16432/key took 70ms and returned 401 65 bytes