Feature Request: Return "Unauthorized" when webhook auth token is illegal (instead of "Not Found" )

I was using following webhook api to run GitHub Actions

POST /repos/{owner}/{repo}/dispatches

This API returns "404 Not Found" when Authorization Token was ill-formed. At first, I didn’t understand why I get 404 since specified endpoint was correct. If there’s no specific reasons, I think "401 Unauthorized" is proper message for this case :pleading_face:

I think this behavior is somewhat consistent, e.g. there is a private repository https://github.com/github/rest-api-operations but GitHub gives you a 404 if you’re not an authorized member. Could be considered security by obscurity I suppose?

1 Like

@kenchon,

In most cases, when a user tries to visit a page that he does not have the access on GitHub, he will get the “404 Not Found”.
I think we can explain this with the two points below:

  1. GitHub searches the pages within the accessible scopes of the user’s token (or the user). If the requested page is not found within the accessible scopes, the “404 Not Found” returned.

  2. If the requested page is not found within the accessible scopes of the user, it is completely unnecessary to tell the user that the requested page really exists. As @Simran-B mentioned, it may be a security policy that using an obscure message.

2 Likes

Thanks for your replies.

Take that into consideration, IMO, message like “no resources found under your scope” is more balanced in terms of developer-friendliness and security.

Anyway, your comments are really helpful to understand how 404 comes from (and it is consist behavior through GitHub services).