Sending a REST API request with an invalid OAuth header returns in a generic rest-read-denied error. It should return an OAuth-specific error about why the authentication failed. That error is generated in SessionProvider::provideSessionInfo() but that runs too early to throw (the API framework is not set up yet) so it just caches the error and returns an anonymous session. The action API will fetch that error in ApiBeforeMain; the REST framework should do something comparable.
Description
Description
Event Timeline
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 23 2023, 4:05 AM2023-01-23 04:05:59 (UTC+0)
Tgr closed this task as a duplicate of T252591: REST API endpoints give confusing errors for invalid OAuth2 access tokens.Jan 23 2023, 4:07 AM2023-01-23 04:07:43 (UTC+0)