PUT/PATCH bucket: swap 403/409 to better describe S3 credentials errors

norrisng-bc · norrisng-bc · commit 07cb6829e386 · 2025-05-06T10:51:28.000-07:00
Invalid S3 credentials are better described as "forbidden" (HTTP 403).
Likewise, a mismatch of S3 credentials between what's supplied in the client request and what COMS has in its database is better described as a "conflict" (HTTP 409).

Supporting multiple sets of valid credentials on a bucket at any time is non-trivial (credentials may have varying levels of access), so for now, only allow one set of them at any time.
diff --git a/app/src/controllers/bucket.js b/app/src/controllers/bucket.js
@@ -90,7 +90,7 @@ const controller = {
       log.warn(`Failure to validate bucket credentials: ${e.message}`, {
         function: '_validateCredentials',
       });
-      throw new Problem(409, {
+      throw new Problem(403, {
         detail: 'Unable to validate supplied credentials for the bucket',
       });
     }
@@ -128,7 +128,7 @@ const controller = {
       if (e instanceof UniqueViolationError) {
         // Grant permissions if credentials precisely match
         response = await bucketService.checkGrantPermissions(data).catch(permErr => {
-          next(new Problem(403, { detail: permErr.message, instance: req.originalUrl }));
+          next(new Problem(409, { detail: permErr.message, instance: req.originalUrl }));
         });
       } else {
         next(errorToProblem(SERVICE, e));
diff --git a/app/tests/unit/controllers/bucket.spec.js b/app/tests/unit/controllers/bucket.spec.js
@@ -357,7 +357,7 @@ describe('createBucketChild', () => {
     }));
   });
 
-  it('should return a 409 when bucket can not be validated', async () => {
+  it('should return a 403 when bucket can not be validated', async () => {
     const req = {
       body: { bucketName: 'bucketName', subKey: 'subKey' },
       currentUser: CURRENT_USER,
@@ -404,7 +404,7 @@ describe('createBucketChild', () => {
     }));
 
     expect(next).toHaveBeenCalledTimes(1);
-    expect(next).toHaveBeenCalledWith(new Problem(409, {
+    expect(next).toHaveBeenCalledWith(new Problem(403, {
       detail: 'Unable to validate supplied credentials for the bucket'
     }));
   });
