API endpoints for a private repo respond with 404 to an invalid token

Given a valid private GitHub repo and an invalid CircleCI access token, the API should respond with “401 Unauthorized” and not with “404 Not Found”.

This would allow differentiating between invalid or deleted access tokens and deleted or wrong repos while diagnosing problems while talking to the CircleCI API.

Various endpoints are affected, for example “Recent Builds For A Single Project” or " List Checkout Keys".

Example:

$ curl -v 'https://circleci.com/api/v1.1/project/gh/[Redacted]/[Redacted]?limit=100&offset=0&filter=completed&circle-token=anything-invalid'
[Redacted]
> 
< HTTP/1.1 404 Not Found
< Access-Control-Allow-Origin: *
< Content-Type: text/plain;charset=utf-8
< X-route: /api/v1.1/project/:vcs-type/:username/:repo/
[Redacted]

< 
{
  "message" : "Project not found"
}

If this is not considered to be an issue, what is the recommended way of checking whether a token is valid or not? Sounds like it’s not possible without making a request to some other endpoint…

Thanks!

This is by design to mirror the behavior on GitHub. The existence of a repo can be considered sensitive info, and 401 would make it easy to check for any repo’s existence. The /me endpoint should work more as you’d expect.

1 Like

@ndintenfass thanks for your reply but I have to disagree with you. GitHub does return 401 unauthorized on any request if the access token in use is invalid. I do not see how replying with 401 to invalid tokens might reveal any sensitive info.

Here is an example:

curl -v -H "Authorization: token some-invalid-token"  https://api.github.com/repos/valid-org/valid-private-repo

< HTTP/1.1 401 Unauthorized
< Content-Type: application/json; charset=utf-8
{
  "message": "Bad credentials",
  "documentation_url": "https://developer.github.com/v3"
}

@ndintenfass what do you think? :wink: