Improve endpoint status codes (/src/service/routes) #1285
Description
Many endpoints have misleading error codes, such as the push routes in src/service/routes/push.ts:
router.post('/:id/reject', async (req: Request, res: Response) => {
if (!req.user) {
res.status(401).send({
message: 'not logged in',
});
return;
}
const id = req.params.id;
const { username } = req.user as { username: string };
// Get the push request
const push = await getValidPushOrRespond(id, res);
if (!push) return;
// Get the committer of the push via their email
const committerEmail = push.userEmail;
const list = await db.getUsers({ email: committerEmail });
if (list.length === 0) {
res.status(401).send({
message: `There was no registered user with the committer's email address: ${committerEmail}`,
});
return;
}
if (list[0].username.toLowerCase() === username.toLowerCase() && !list[0].admin) {
res.status(401).send({
message: `Cannot reject your own changes`,
});
return;
}
const isAllowed = await db.canUserApproveRejectPush(id, username);
if (isAllowed) {
const result = await db.reject(id, null);
console.log(`user ${username} rejected push request for ${id}`);
res.send(result);
} else {
res.status(401).send({
message: 'User is not authorised to reject changes',
});
}
});In this case, we're sending 401 responses in cases where the user is already authenticated. We should be sending 403 which shows that the user lacks the correct permissions.
Describe the solution you'd like
Replace misleading error codes (especially 401 errors) with more suitable ones. Also, adjust tests to reflect these changes.
Additional context
#1202 (comment)
#1202 (comment)
#1202 (comment)
#1202 (comment)