diff --git a/builtin/credential/approle/path_login.go b/builtin/credential/approle/path_login.go index 72b7ac352f..ed1bc2ff0c 100644 --- a/builtin/credential/approle/path_login.go +++ b/builtin/credential/approle/path_login.go @@ -125,7 +125,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat // RoleID must be supplied during every login roleID := strings.TrimSpace(data.Get("role_id").(string)) if roleID == "" { - return logical.ErrorResponse("missing role_id"), nil + return nil, logical.ErrInvalidCredentials } // Look for the storage entry that maps the roleID to role diff --git a/builtin/credential/userpass/path_login.go b/builtin/credential/userpass/path_login.go index b53953ee83..37fc7fbde5 100644 --- a/builtin/credential/userpass/path_login.go +++ b/builtin/credential/userpass/path_login.go @@ -67,7 +67,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew password := d.Get("password").(string) if password == "" { - return nil, fmt.Errorf("missing password") + return nil, logical.ErrInvalidCredentials } // Get the user and validate auth diff --git a/changelog/28441.txt b/changelog/28441.txt new file mode 100644 index 0000000000..e78ed504af --- /dev/null +++ b/changelog/28441.txt @@ -0,0 +1,3 @@ +```release-note:bug +auth: Updated error handling for missing login credentials in AppRole and UserPass auth methods to return a 400 error instead of a 500 error. +``` diff --git a/vault/external_tests/delegated_auth/delegated_auth_test.go b/vault/external_tests/delegated_auth/delegated_auth_test.go index c50077ffe5..6eea412ecf 100644 --- a/vault/external_tests/delegated_auth/delegated_auth_test.go +++ b/vault/external_tests/delegated_auth/delegated_auth_test.go @@ -327,7 +327,7 @@ func TestDelegatedAuth(t *testing.T) { path: "login", username: "allowed-est", password: "", - errorContains: "missing password", + errorContains: "invalid credentials", }, { name: "bad-path-within-delegated-auth-error",