feat: Return more 404s vs 403s

Emyrk · Emyrk · commit a92f132f9880 · 2022-06-08T18:45:20.000-05:00
diff --git a/coderd/files.go b/coderd/files.go
@@ -86,7 +86,9 @@ func (api *API) fileByHash(rw http.ResponseWriter, r *http.Request) {
 	}
 	file, err := api.Database.GetFileByHash(r.Context(), hash)
 	if errors.Is(err, sql.ErrNoRows) {
-		httpapi.Forbidden(rw)
+		httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
+			Message: fmt.Sprintf("File %q not found.", hash),
+		})
 		return
 	}
 	if err != nil {
diff --git a/coderd/parameters.go b/coderd/parameters.go
@@ -223,7 +223,9 @@ func (api *API) parameterRBACResource(rw http.ResponseWriter, r *http.Request, s
 	// Write error payload to rw if we cannot find the resource for the scope
 	if err != nil {
 		if xerrors.Is(err, sql.ErrNoRows) {
-			httpapi.Forbidden(rw)
+			httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
+				Message: fmt.Sprintf("Scope %q resource %q not found.", scope, scopeID),
+			})
 		} else {
 			httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
 				Message: err.Error(),
diff --git a/coderd/templateversions.go b/coderd/templateversions.go
@@ -351,7 +351,9 @@ func (api *API) fetchTemplateVersionDryRunJob(rw http.ResponseWriter, r *http.Re
 
 	job, err := api.Database.GetProvisionerJobByID(r.Context(), jobUUID)
 	if xerrors.Is(err, sql.ErrNoRows) {
-		httpapi.Forbidden(rw)
+		httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
+			Message: fmt.Sprintf("Provisioner job %q not found.", jobUUID),
+		})
 		return database.ProvisionerJob{}, false
 	}
 	if err != nil {
diff --git a/coderd/users.go b/coderd/users.go
@@ -604,13 +604,16 @@ func (api *API) organizationByUserAndName(rw http.ResponseWriter, r *http.Reques
 	organizationName := chi.URLParam(r, "organizationname")
 	organization, err := api.Database.GetOrganizationByName(r.Context(), organizationName)
 	if errors.Is(err, sql.ErrNoRows) {
-		// Return unauthorized rather than a 404 to not leak if the organization
-		// exists.
-		httpapi.Forbidden(rw)
+		httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
+			Message: fmt.Sprintf("Organization %q not found.", organizationName),
+		})
 		return
 	}
 	if err != nil {
-		httpapi.Forbidden(rw)
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: "Internal error fetching organization.",
+			Detail:  err.Error(),
+		})
 		return
 	}
 
diff --git a/coderd/workspaces.go b/coderd/workspaces.go
@@ -192,8 +192,9 @@ func (api *API) workspaceByOwnerAndName(rw http.ResponseWriter, r *http.Request)
 		})
 	}
 	if errors.Is(err, sql.ErrNoRows) {
-		// Do not leak information if the workspace exists or not
-		httpapi.Forbidden(rw)
+		httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
+			Message: fmt.Sprintf("Workspace %q not found.", workspaceName),
+		})
 		return
 	}
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,9 @@ func (api API) fileByHash(rw http.ResponseWriter, r http.Request) {`
`86`	`86`	`}`
`87`	`87`	`file, err := api.Database.GetFileByHash(r.Context(), hash)`
`88`	`88`	`if errors.Is(err, sql.ErrNoRows) {`
`89`		`- httpapi.Forbidden(rw)`
	`89`	`+ httpapi.Write(rw, http.StatusNotFound, httpapi.Response{`
	`90`	`+ Message: fmt.Sprintf("File %q not found.", hash),`
	`91`	`+ })`
`90`	`92`	`return`
`91`	`93`	`}`
`92`	`94`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -192,8 +192,9 @@ func (api API) workspaceByOwnerAndName(rw http.ResponseWriter, r http.Request)`
`192`	`192`	`})`
`193`	`193`	`}`
`194`	`194`	`if errors.Is(err, sql.ErrNoRows) {`
`195`		`- // Do not leak information if the workspace exists or not`
`196`		`- httpapi.Forbidden(rw)`
	`195`	`+ httpapi.Write(rw, http.StatusNotFound, httpapi.Response{`
	`196`	`+ Message: fmt.Sprintf("Workspace %q not found.", workspaceName),`
	`197`	`+ })`
`197`	`198`	`return`
`198`	`199`	`}`
`199`	`200`	`if err != nil {`