topic Re: Errors have become less informative in API / CLI Discussion

Errors have become less informative

Bob_Zimmerman — Fri, 20 Jun 2025 22:53:34 GMT

I haven't been able to find an error schema anywhere, so I'm in the process of collecting tons of exemplars from different versions. I noticed today that if you specify a bogus domain when logging in on R80.10, it gives you a 400 status code with this body:

{"code":"generic_error","message":"Runtime error: Domain 'BogusDomain' not found!"}

Make exactly the same API call on R82 and it gives you a 400 with this body:

{"code":"err_login_failed","message":"Authentication to server failed."}

But it gets worse! When you specify the call against the R82 system should be run in APIv1.1 (R80.10's API version), it still returns R82's less helpful error!

To be clear: it looks like making a call against a previous API version does not ensure the call is processed the way the previous version processed it.

If anybody would like to reproduce this independently, here's the code I'm using:

apiVersions=("v1" "v1.1" "v1.2" "v1.3" "v1.4" "v1.5" "v1.6" "v1.6.1" "v1.7" "v1.7.1" "v1.8" "v1.8.1" "v1.9" "v1.9.1" "v2" "") testBody='{"user":"PasswordUser","password":"1qaz!QAZ","domain":"BogusDomain"}' for apiVersion in "${apiVersions[@]}";do curl -ksv "https://${server}/web_api/${apiVersion:+/$apiVersion}/login" \ -H "Content-Type:application/json" -d "${testBody}" >curlOut 2>curlErr <curlErr egrep "^(< HTTP|[^<>*])" \ | egrep -v "^([{}] \[| Trying)" \ | sed -r 's@< HTTP/1.1 ([0-9]+) .+@(\1, Data("""@' <curlOut jq -c . echo -n '""".utf8)),' echo -e "\t// API${apiVersion:- default version}" echo "" done rm curlErr curlOut

Re: Errors have become less informative

Timothy_Hall — Sat, 21 Jun 2025 13:30:41 GMT

100% agreed, at least when using tools like mgmt_cli to make calls it will generally catch most syntax errors and give you some idea what is wrong. But once you start making direct web API calls all bets are off. The only generic errors returned (with no additional details about the issue returned) for direct API calls are:

generic_err_invalid_syntax (this one is the real killer)
generic_err_session_expired
generic_err_wrong_session_id

When teaching CCAS R81.20 on many occasions there will be a syntax error with a direct API call, and the only way to figure out what is wrong is to look at $FWDIR/log/api.elg or /var/log/gaia_api_server.log, and in rare cases $FWDIR/log/cpm.elg when the call makes it through the API server but then fails when executed by cpm.

Perhaps useful error messages are being restricted for a session that is not authenticated yet for "security reasons"?

Re: Errors have become less informative

the_rock — Sun, 22 Jun 2025 22:41:02 GMT

I will try test this in my R82 lab Monday.

Andy

Re: Errors have become less informative

the_rock — Mon, 23 Jun 2025 12:36:04 GMT

Just tested it, yep, exact same issue.

Andy

Re: Errors have become less informative

Bob_Zimmerman — Mon, 23 Jun 2025 16:23:02 GMT

I get it, since telling someone that 2 out of 3 parts of their login request are correct narrows the problem space for an attacker.

That said, errors are part of an API contract. Changing them without changing the version number makes version numbers worthless. There are now at least two incompatible versions of the management API which both call themselves "v1.1".

The right approach would have been to stop claiming to support version 1.1 when the errors were changed.

Re: Errors have become less informative

Daniel_Kuhl1 — Thu, 24 Jul 2025 08:57:23 GMT

Checked the login to a Bogus Domain with a Python script on R81.20 and R82 both with the recommended HF versions. It seems to be uniform responses now, except API version 1:

Here is R81.20:

Checked all suppported API versions on HOTFIX_R81_20_JUMBO_HF_MAIN Take: 105: +---------+-------------+------------------+----------------------------------+ | Version | Status Code | Code | Message | +---------+-------------+------------------+----------------------------------+ | 1 | 500 | generic_error | Authentication to server failed. | | 1.1 | 400 | err_login_failed | Authentication to server failed. | | 1.2 | 400 | err_login_failed | Authentication to server failed. | | 1.3 | 400 | err_login_failed | Authentication to server failed. | | 1.4 | 400 | err_login_failed | Authentication to server failed. | | 1.5 | 400 | err_login_failed | Authentication to server failed. | | 1.6 | 400 | err_login_failed | Authentication to server failed. | | 1.6.1 | 400 | err_login_failed | Authentication to server failed. | | 1.7 | 400 | err_login_failed | Authentication to server failed. | | 1.7.1 | 400 | err_login_failed | Authentication to server failed. | | 1.8 | 400 | err_login_failed | Authentication to server failed. | | 1.8.1 | 400 | err_login_failed | Authentication to server failed. | | 1.9 | 400 | err_login_failed | Authentication to server failed. | | 1.9.1 | 400 | err_login_failed | Authentication to server failed. | +---------+-------------+------------------+----------------------------------+ Default API version: 1.9.1

...and R82:

Checked all suppported API versions on HOTFIX_R82_JUMBO_HF_MAIN Take: 33: +---------+------------------+------------------+----------------------------------+ | Version | HTTP Status Code | Error Code | Error Message | +---------+------------------+------------------+----------------------------------+ | 1 | 500 | generic_error | Authentication to server failed. | | 1.1 | 400 | err_login_failed | Authentication to server failed. | | 1.2 | 400 | err_login_failed | Authentication to server failed. | | 1.3 | 400 | err_login_failed | Authentication to server failed. | | 1.4 | 400 | err_login_failed | Authentication to server failed. | | 1.5 | 400 | err_login_failed | Authentication to server failed. | | 1.6 | 400 | err_login_failed | Authentication to server failed. | | 1.6.1 | 400 | err_login_failed | Authentication to server failed. | | 1.7 | 400 | err_login_failed | Authentication to server failed. | | 1.7.1 | 400 | err_login_failed | Authentication to server failed. | | 1.8 | 400 | err_login_failed | Authentication to server failed. | | 1.8.1 | 400 | err_login_failed | Authentication to server failed. | | 1.9 | 400 | err_login_failed | Authentication to server failed. | | 1.9.1 | 400 | err_login_failed | Authentication to server failed. | | 2 | 400 | err_login_failed | Authentication to server failed. | +---------+------------------+------------------+----------------------------------+ Default API version: 2