backport of commit 7c1a834 (#28464)

Co-authored-by: Luis (LT) Carbonell <[email protected]>
hashicorp · Sep 23, 2024 · bb0ee36 · bb0ee36
1 parent 83b18ff
commit bb0ee36
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 3 deletions.
diff --git a/builtin/credential/approle/path_login.go b/builtin/credential/approle/path_login.go
@@ -125,7 +125,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 	// RoleID must be supplied during every login
 	roleID := strings.TrimSpace(data.Get("role_id").(string))
 	if roleID == "" {
-		return logical.ErrorResponse("missing role_id"), nil
+		return nil, logical.ErrInvalidCredentials
 	}
 
 	// Look for the storage entry that maps the roleID to role

diff --git a/builtin/credential/userpass/path_login.go b/builtin/credential/userpass/path_login.go
@@ -67,7 +67,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 
 	password := d.Get("password").(string)
 	if password == "" {
-		return nil, fmt.Errorf("missing password")
+		return nil, logical.ErrInvalidCredentials
 	}
 
 	// Get the user and validate auth

diff --git a/changelog/28441.txt b/changelog/28441.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth: Updated error handling for missing login credentials in AppRole and UserPass auth methods to return a 400 error instead of a 500 error.
+```
diff --git a/vault/external_tests/delegated_auth/delegated_auth_test.go b/vault/external_tests/delegated_auth/delegated_auth_test.go
@@ -327,7 +327,7 @@ func TestDelegatedAuth(t *testing.T) {
 			path:          "login",
 			username:      "allowed-est",
 			password:      "",
-			errorContains: "missing password",
+			errorContains: "invalid credentials",
 		},
 		{
 			name:          "bad-path-within-delegated-auth-error",