From 6b595fa4a3b0d9d9b6434fa255f615b6585305f7 Mon Sep 17 00:00:00 2001
From: "Hahn Axel (hahn)" <axel.hahn@unibe.ch>
Date: Wed, 19 Feb 2025 13:26:22 +0100
Subject: [PATCH] more clear HTTP responses on error

---
 public_html/api/index.php | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/public_html/api/index.php b/public_html/api/index.php
index 15c0b25a..7b197c9c 100644
--- a/public_html/api/index.php
+++ b/public_html/api/index.php
@@ -59,7 +59,7 @@ function _wd(string $s, string $sLevel = 'info'): bool
 }
 
 /**
- * Abort execution of API requestwith error
+ * Abort execution of API request with error
  * 
  * @param string   $s        message
  * @param integer  $iStatus  http status code to send
@@ -68,6 +68,7 @@ function _quit(string $s, int $iStatus = 400): void
 {
     $aStatus = [
         400 => 'HTTP/1.0 400 Bad Request',
+        401 => 'HTTP/1.0 401 Unauthorized',
         403 => 'HTTP/1.0 403 Access denied',
         404 => 'HTTP/1.0 404 Not found',
     ];
@@ -105,7 +106,7 @@ function _checkAuth(string $sProjectSecret): bool
     $aReqHeaders = apache_request_headers();
     _wd('<pre>' . print_r($aReqHeaders, 1) . '</pre>');
     if (!isset($aReqHeaders['Authorization'])) {
-        _quit('Access denied. Missing authorization.', 403);
+        _quit('Access denied. Missing authorization.', 401);
     }
     if (!isset($aReqHeaders['Date'])) {
         _quit('Access denied. Missing field "Date:" in the request header.', 403);
@@ -123,7 +124,7 @@ function _checkAuth(string $sProjectSecret): bool
     _wd('Hash: ' . $sGotHash . ' -- from header');
     _wd('Hash: ' . $sMyHash . ' -- rebuilt');
     if ($sGotHash !== $sMyHash) {
-        _quit('Access denied. Invalid hash.', 403);
+        _quit('Access denied. Invalid hash.', 401);
     }
 
     $iAge = date('U') - date('U', strtotime($sGotDate));
@@ -216,14 +217,18 @@ switch ($sApiVersion) {
                     ob_end_clean();
 
                 } catch (Exception $exc) {
-                    _quit('ERROR: project with id [' . $sPrjId . '] does not exist.', 404);
+                    _quit('ERROR: project with id [' . $sPrjId . '] cannot be initialized.', 400); // never reached
                 }
 
                 // get secret
                 $aPrjCfg = $oProject->getConfig();
-                $sProjectSecret = isset($aPrjCfg['api']['secret']) ? $aPrjCfg['api']['secret'] : false;
+                if(!count($aPrjCfg)){
+                    _quit('ERROR: project with id [' . $sPrjId . '] does not exist.', 404);
+                }
+
+                $sProjectSecret = $aPrjCfg['api']['secret'] ?? false;
                 if (!$sProjectSecret) {
-                    _quit('Access denied. API access is disabled.');
+                    _quit('Access denied. API access is disabled.', 403);
                 }
 
                 // check authorization 
-- 
GitLab