[PR #4320] [MERGED] Improve ApiAuthException control flow #6342

New Issue

Closed

opened 2026-02-05 10:29:48 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2026-02-05 10:29:48 +03:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/BookStackApp/BookStack/pull/4320
Author: @devdot
Created: 6/16/2023
Status: ✅ Merged
Merged: 6/26/2023
Merged by: @ssddanbrown

Base: development ← Head: improve-api-auth-exception

---

📝 Commits (1)

• 74097bd Simplify ApiAuthException control flow

📊 Changes

3 files changed (+24 additions, -37 deletions)

View changed files

📝 app/Exceptions/ApiAuthException.php (+20 -1)
➖ app/Exceptions/UnauthorizedException.php (+0 -16)
📝 app/Http/Middleware/ApiAuthenticate.php (+4 -20)

📄 Description

First of all, the UnauthorizedException seems to be a strange base class for ApiAuthException, as it implies HTTP 401 but the exceptions are sometimes thrown with 403 instead:

ec775aec02/app/Api/ApiTokenGuard.php (L134-L152)

Further, the ApiAuthenticate middleware catches all exceptions that are thrown by the ApiTokenGuard, only to return a JSON response that is exactly the same as the application exception handler:

ec775aec02/app/Http/Middleware/ApiAuthenticate.php (L15-L25)

unauthorizedResponse will return the same JSON response as the exception handler.

My changes would further simplify the exception return messages for API errors into one place, rather than multiple places that create the standardized JSON response pattern.

The only downside I see is that this change would make the exceptions get logged through the exception logger, which may not be desired (altough that might be an improvement as well, right now there is no logging of failed API access attempts). However, if this exception should not be logged, it could be added here:

ec775aec02/app/Exceptions/Handler.php (L22-L25)

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/BookStackApp/BookStack/pull/4320 **Author:** [@devdot](https://github.com/devdot) **Created:** 6/16/2023 **Status:** ✅ Merged **Merged:** 6/26/2023 **Merged by:** [@ssddanbrown](https://github.com/ssddanbrown) **Base:** `development` ← **Head:** `improve-api-auth-exception` --- ### 📝 Commits (1) - [`74097bd`](https://github.com/BookStackApp/BookStack/commit/74097bd47c050cd3ddd1c3ccf7eef3a20bc463a3) Simplify ApiAuthException control flow ### 📊 Changes **3 files changed** (+24 additions, -37 deletions) <details> <summary>View changed files</summary> 📝 `app/Exceptions/ApiAuthException.php` (+20 -1) ➖ `app/Exceptions/UnauthorizedException.php` (+0 -16) 📝 `app/Http/Middleware/ApiAuthenticate.php` (+4 -20) </details> ### 📄 Description First of all, the `UnauthorizedException` seems to be a strange base class for `ApiAuthException`, as it implies HTTP 401 but the exceptions are sometimes thrown with 403 instead: https://github.com/BookStackApp/BookStack/blob/ec775aec02c0887d5cf2dc23c938a75b7eaf67d2/app/Api/ApiTokenGuard.php#L134-L152 Further, the `ApiAuthenticate` middleware catches all exceptions that are thrown by the `ApiTokenGuard`, only to return a JSON response that is exactly the same as the application exception handler: https://github.com/BookStackApp/BookStack/blob/ec775aec02c0887d5cf2dc23c938a75b7eaf67d2/app/Http/Middleware/ApiAuthenticate.php#L15-L25 [unauthorizedResponse](https://github.com/BookStackApp/BookStack/blob/ec775aec02c0887d5cf2dc23c938a75b7eaf67d2/app/Http/Middleware/ApiAuthenticate.php#L65-L73) will return the same JSON response as [the exception handler](https://github.com/BookStackApp/BookStack/blob/ec775aec02c0887d5cf2dc23c938a75b7eaf67d2/app/Exceptions/Handler.php#L80-L109). My changes would further simplify the exception return messages for API errors into one place, rather than multiple places that create the standardized JSON response pattern. The only downside I see is that this change would make the exceptions get logged through the exception logger, which may not be desired (altough that might be an improvement as well, right now there is no logging of failed API access attempts). However, if this exception should not be logged, it could be added here: https://github.com/BookStackApp/BookStack/blob/ec775aec02c0887d5cf2dc23c938a75b7eaf67d2/app/Exceptions/Handler.php#L22-L25 --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

OVERLORD added the pull-request label 2026-02-05 10:29:48 +03:00

OVERLORD closed this issue 2026-02-05 10:29:51 +03:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#6342