Improve Error Handling for Missing Credentials in AppRole and UserPass (#28441)

* Return invalid credentials for missing login parameters (400 vs 500) * Add changelog * Update test
2025-10-29 01:32:33 +00:00 · 2024-09-23 10:55:20 -04:00
parent efd2fb2ae4
commit 7c1a83422b
4 changed files with 6 additions and 3 deletions
--- a/builtin/credential/approle/path_login.go
+++ b/builtin/credential/approle/path_login.go
@@ -125,7 +125,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 	// RoleID must be supplied during every login
 	roleID := strings.TrimSpace(data.Get("role_id").(string))
 	if roleID == "" {
-		return logical.ErrorResponse("missing role_id"), nil
+		return nil, logical.ErrInvalidCredentials
 	}

 	// Look for the storage entry that maps the roleID to role
--- a/builtin/credential/userpass/path_login.go
+++ b/builtin/credential/userpass/path_login.go
@@ -67,7 +67,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew

 	password := d.Get("password").(string)
 	if password == "" {
-		return nil, fmt.Errorf("missing password")
+		return nil, logical.ErrInvalidCredentials
 	}

 	// Get the user and validate auth
--- a/changelog/28441.txt
+++ b/changelog/28441.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth: Updated error handling for missing login credentials in AppRole and UserPass auth methods to return a 400 error instead of a 500 error.
+```
--- a/vault/external_tests/delegated_auth/delegated_auth_test.go
+++ b/vault/external_tests/delegated_auth/delegated_auth_test.go
@@ -327,7 +327,7 @@ func TestDelegatedAuth(t *testing.T) {
 			path:          "login",
 			username:      "allowed-est",
 			password:      "",
-			errorContains: "missing password",
+			errorContains: "invalid credentials",
 		},
 		{
 			name:          "bad-path-within-delegated-auth-error",