fix(daemon): Return 404 if alias interceptor ResolveRequestIds fails (#5006)

internal/daemon/controller/interceptor.go

@@ -393,16 +393,10 @@ func aliasResolutionInterceptor(
 		}
 		interceptorCtx, err = alias.ResolveRequestIds(interceptorCtx, reqMsg, r)
 		if err != nil {
-			// Since this is intercepted prior to checking that the requester
-			// is authorized to make the request, returning a 404 here and a 401
-			// when the request is checked in the handler would expose which
-			// aliases exist. Instead, we return a unauthenticated error here so there
-			// is no way to distinguish between a missing alias and an existing
-			// alias that points to a destination the requester is not allowed
-			// to perform an action on.
-			// handlers.UnauthenticatedError() turns into an http 401 status
-			// code "Unauthorized".
-			return nil, handlers.UnauthenticatedError()
+			// At this point, the request is unauthorized, therefore return a
+			// static error rather than exposing what the result of
+			// `ResolveRequestIds` was.
+			return nil, handlers.NotFoundError()
 		}
 		return handler(interceptorCtx, req)
 	}

internal/daemon/controller/interceptor_test.go

@@ -726,13 +726,13 @@ func Test_aliasResolutionInterceptor(t *testing.T) {
 			name:            "aliasable request with unknown alias",
 			req:             &pbs.GetTargetRequest{Id: "not.a.registered.alias"},
 			wantModifiedReq: &pbs.GetTargetRequest{Id: "not.a.registered.alias"},
-			errorIs:         handlers.UnauthenticatedError(),
+			errorIs:         handlers.NotFoundError(),
 		},
 		{
 			name:            "aliasable request with destinationless alias",
 			req:             &pbs.GetTargetRequest{Id: alWithoutDest.GetValue()},
 			wantModifiedReq: &pbs.GetTargetRequest{Id: alWithoutDest.GetValue()},
-			errorIs:         handlers.UnauthenticatedError(),
+			errorIs:         handlers.NotFoundError(),
 		},
 	}
 	for _, tc := range cases {

internal/tests/api/targets/target_test.go

@@ -685,12 +685,12 @@ func TestCrud(t *testing.T) {
 		assert.EqualValues(http.StatusNotFound, apiErr.Response().StatusCode())
 	})
 
-	t.Run("deleting unknown alias is unauthorized", func(t *testing.T) {
+	t.Run("deleting unknown alias is not found", func(t *testing.T) {
 		_, err = tarClient.Delete(tc.Context(), al.GetValue())
 		assert.Error(err)
 		apiErr := api.AsServerError(err)
 		assert.NotNil(apiErr)
-		assert.EqualValues(http.StatusUnauthorized, apiErr.Response().StatusCode())
+		assert.EqualValues(http.StatusNotFound, apiErr.Response().StatusCode())
 	})
 }
 
@@ -750,7 +750,7 @@ func TestSet_Errors(t *testing.T) {
 	require.Error(err)
 	apiErr = api.AsServerError(err)
 	assert.NotNil(apiErr)
-	assert.EqualValues(http.StatusUnauthorized, apiErr.Response().StatusCode())
+	assert.EqualValues(http.StatusNotFound, apiErr.Response().StatusCode())
 
 	// reading by alias with no destination id should fail
 	rw := db.New(tc.DbConn())
@@ -759,8 +759,7 @@ func TestSet_Errors(t *testing.T) {
 	require.Error(err)
 	apiErr = api.AsServerError(err)
 	assert.NotNil(apiErr)
-	assert.EqualValues(http.StatusUnauthorized, apiErr.Response().StatusCode())
-	noAliasApiErrReponse := apiErr.Response()
+	assert.EqualValues(http.StatusNotFound, apiErr.Response().StatusCode())
 
 	client.SetToken("at_1234567890_madeupinvalidtoken")
 	tarClient = targets.NewClient(client)
@@ -768,9 +767,6 @@ func TestSet_Errors(t *testing.T) {
 	apiErr = api.AsServerError(err)
 	assert.NotNil(apiErr)
 	assert.EqualValues(http.StatusUnauthorized, apiErr.Response().StatusCode())
-	// We should not be able to tell the difference between an unauthorized request
-	// and a request that tries to resolve an alias that points to nothing.
-	assert.EqualValues(noAliasApiErrReponse.Body, apiErr.Response().Body)
 }
 
 func TestCreateTarget_WhitespaceInAddress(t *testing.T) {