diff --git a/src/routes/accesscontrol.js b/src/routes/accesscontrol.js index 124026ad5..ab96261aa 100644 --- a/src/routes/accesscontrol.js +++ b/src/routes/accesscontrol.js @@ -153,7 +153,7 @@ function websocketAuth(requiredScopes, req, res, next) { req.authInfo = info; var e = accesscontrol.hasScopes(req.authInfo, requiredScopes); - if (e) return next(new HttpError(401, e.message)); + if (e) return next(new HttpError(403, e.message)); next(); }); diff --git a/src/routes/profile.js b/src/routes/profile.js index c46563426..6384eb5ce 100644 --- a/src/routes/profile.js +++ b/src/routes/profile.js @@ -65,7 +65,7 @@ function changePassword(req, res, next) { users.setPassword(req.user.id, req.body.newPassword, function (error) { if (error && error.reason === UsersError.BAD_FIELD) return next(new HttpError(400, error.message)); - if (error && error.reason === UsersError.NOT_FOUND) return next(new HttpError(403, 'Wrong password')); + if (error && error.reason === UsersError.NOT_FOUND) return next(new HttpError(404, 'User not found')); if (error) return next(new HttpError(500, error)); next(new HttpSuccess(204)); @@ -91,7 +91,7 @@ function enableTwoFactorAuthentication(req, res, next) { users.enableTwoFactorAuthentication(req.user.id, req.body.totpToken, function (error) { if (error && error.reason === UsersError.NOT_FOUND) return next(new HttpError(404, 'User not found')); - if (error && error.reason === UsersError.BAD_TOKEN) return next(new HttpError(403, 'Invalid token')); + if (error && error.reason === UsersError.BAD_TOKEN) return next(new HttpError(401, 'Invalid token')); if (error && error.reason === UsersError.ALREADY_EXISTS) return next(new HttpError(409, 'TwoFactor Authentication is already enabled')); if (error) return next(new HttpError(500, error)); diff --git a/src/routes/setup.js b/src/routes/setup.js index 883950ac4..d61f2014b 100644 --- a/src/routes/setup.js +++ b/src/routes/setup.js @@ -35,7 +35,7 @@ function providerTokenAuth(req, res, next) { if (error && !error.response) return next(new HttpError(500, error)); if (result.statusCode !== 200) return next(new HttpError(500, 'Unable to get meta data')); - if (result.text !== req.body.providerToken) return next(new HttpError(403, 'Invalid providerToken')); + if (result.text !== req.body.providerToken) return next(new HttpError(401, 'Invalid providerToken')); next(); }); @@ -53,7 +53,7 @@ function setupTokenAuth(req, res, next) { caas.verifySetupToken(req.query.setupToken, function (error) { if (error && error.reason === CaasError.BAD_STATE) return next(new HttpError(409, 'Already setup')); - if (error && error.reason === CaasError.INVALID_TOKEN) return next(new HttpError(403, 'Invalid token')); + if (error && error.reason === CaasError.INVALID_TOKEN) return next(new HttpError(401, 'Invalid token')); if (error && error.reason === CaasError.EXTERNAL_ERROR) return next(new HttpError(503, error.message)); if (error) return next(new HttpError(500, error)); @@ -119,7 +119,7 @@ function activate(req, res, next) { caas.setupDone(req.query.setupToken, function (error) { if (error && error.reason === CaasError.BAD_STATE) return next(new HttpError(409, 'Already setup')); - if (error && error.reason === CaasError.INVALID_TOKEN) return next(new HttpError(403, 'Invalid token')); + if (error && error.reason === CaasError.INVALID_TOKEN) return next(new HttpError(401, 'Invalid token')); if (error && error.reason === CaasError.EXTERNAL_ERROR) return next(new HttpError(503, error.message)); if (error) return next(new HttpError(500, error)); diff --git a/src/routes/test/domains-test.js b/src/routes/test/domains-test.js index 79f19cce3..756e21ee9 100644 --- a/src/routes/test/domains-test.js +++ b/src/routes/test/domains-test.js @@ -234,7 +234,7 @@ describe('Domains API', function () { .query({ access_token: token }) .send({ password: PASSWORD + PASSWORD }) .end(function (error, result) { - expect(result.statusCode).to.equal(403); + expect(result.statusCode).to.equal(401); done(); }); diff --git a/src/routes/test/groups-test.js b/src/routes/test/groups-test.js index 0d7d289f2..6ca84662f 100644 --- a/src/routes/test/groups-test.js +++ b/src/routes/test/groups-test.js @@ -285,7 +285,7 @@ describe('Groups API', function () { .query({ access_token: token }) .send({ groupIds: [ group0Object.id, group1Object.id ]}) .end(function (error, result) { - expect(result.statusCode).to.equal(403); // not allowed + expect(result.statusCode).to.equal(409); // not allowed done(); }); }); diff --git a/src/routes/test/mail-test.js b/src/routes/test/mail-test.js index 225f9b73b..964871eba 100644 --- a/src/routes/test/mail-test.js +++ b/src/routes/test/mail-test.js @@ -163,7 +163,7 @@ describe('Mail API', function () { .send({ password: PASSWORD+PASSWORD }) .query({ access_token: token }) .end(function (err, res) { - expect(res.statusCode).to.equal(403); + expect(res.statusCode).to.equal(401); done(); }); }); diff --git a/src/routes/test/profile-test.js b/src/routes/test/profile-test.js index 480e66794..f508b5e8e 100644 --- a/src/routes/test/profile-test.js +++ b/src/routes/test/profile-test.js @@ -255,7 +255,7 @@ describe('Profile API', function () { .query({ access_token: token_0 }) .send({ password: 'some wrong password', newPassword: 'MOre#$%34' }) .end(function (err, res) { - expect(res.statusCode).to.equal(403); + expect(res.statusCode).to.equal(401); done(); }); }); diff --git a/src/routes/test/users-test.js b/src/routes/test/users-test.js index 765841e54..431985c5a 100644 --- a/src/routes/test/users-test.js +++ b/src/routes/test/users-test.js @@ -358,7 +358,7 @@ describe('Users API', function () { .query({ access_token: token }) .send({ groupIds: [ groupObject.id ] }) .end(function (err, res) { - expect(res.statusCode).to.equal(403); + expect(res.statusCode).to.equal(409); done(); }); }); @@ -525,7 +525,7 @@ describe('Users API', function () { .query({ access_token: token }) .send({ password: PASSWORD }) .end(function (err, res) { - expect(res.statusCode).to.equal(403); + expect(res.statusCode).to.equal(409); done(); }); }); @@ -544,7 +544,7 @@ describe('Users API', function () { .query({ access_token: token }) .send({ password: '' }) .end(function (err, res) { - expect(res.statusCode).to.equal(403); + expect(res.statusCode).to.equal(401); done(); }); }); @@ -554,7 +554,7 @@ describe('Users API', function () { .query({ access_token: token }) .send({ password: PASSWORD + PASSWORD }) .end(function (err, res) { - expect(res.statusCode).to.equal(403); + expect(res.statusCode).to.equal(401); done(); }); }); @@ -574,7 +574,7 @@ describe('Users API', function () { .query({ access_token: token }) .send({ password: PASSWORD }) .end(function (err, res) { - expect(res.statusCode).to.equal(403); + expect(res.statusCode).to.equal(409); done(); }); }); diff --git a/src/routes/users.js b/src/routes/users.js index 46d0d0133..2d3bae185 100644 --- a/src/routes/users.js +++ b/src/routes/users.js @@ -107,7 +107,7 @@ function remove(req, res, next) { // - admin cannot remove admin // - user cannot remove himself <- TODO should this actually work? - if (req.user.id === req.params.userId) return next(new HttpError(403, 'Not allowed to remove yourself.')); + if (req.user.id === req.params.userId) return next(new HttpError(409, 'Not allowed to remove yourself.')); users.remove(req.params.userId, auditSource(req), function (error) { if (error && error.reason === UsersError.BAD_FIELD) return next(new HttpError(400, error.message)); @@ -127,8 +127,8 @@ function verifyPassword(req, res, next) { if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password')); users.verifyWithUsername(req.user.username, req.body.password, function (error) { - if (error && error.reason === UsersError.WRONG_PASSWORD) return next(new HttpError(403, 'Password incorrect')); - if (error && error.reason === UsersError.NOT_FOUND) return next(new HttpError(403, 'Password incorrect')); + if (error && error.reason === UsersError.WRONG_PASSWORD) return next(new HttpError(401, 'Password incorrect')); + if (error && error.reason === UsersError.NOT_FOUND) return next(new HttpError(404, 'No such user')); if (error) return next(new HttpError(500, error)); req.body.password = ''; // this will prevent logs from displaying plain text password @@ -155,7 +155,7 @@ function setGroups(req, res, next) { if (!Array.isArray(req.body.groupIds)) return next(new HttpError(400, 'API call requires a groups array.')); // this route is only allowed for admins, so req.user has to be an admin - if (req.user.id === req.params.userId && req.body.groupIds.indexOf(constants.ADMIN_GROUP_ID) === -1) return next(new HttpError(403, 'Admin removing itself from admins is not allowed')); + if (req.user.id === req.params.userId && req.body.groupIds.indexOf(constants.ADMIN_GROUP_ID) === -1) return next(new HttpError(409, 'Admin removing itself from admins is not allowed')); users.setGroups(req.params.userId, req.body.groupIds, function (error) { if (error && error.reason === UsersError.NOT_FOUND) return next(new HttpError(404, 'One or more groups not found'));