diff --git a/builtin/credential/approle/path_login.go b/builtin/credential/approle/path_login.go index 72b7ac352f06..ed1bc2ff0c36 100644 --- a/builtin/credential/approle/path_login.go +++ b/builtin/credential/approle/path_login.go @@ -125,7 +125,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat // RoleID must be supplied during every login roleID := strings.TrimSpace(data.Get("role_id").(string)) if roleID == "" { - return logical.ErrorResponse("missing role_id"), nil + return nil, logical.ErrInvalidCredentials } // Look for the storage entry that maps the roleID to role diff --git a/builtin/credential/userpass/path_login.go b/builtin/credential/userpass/path_login.go index b53953ee837a..37fc7fbde570 100644 --- a/builtin/credential/userpass/path_login.go +++ b/builtin/credential/userpass/path_login.go @@ -67,7 +67,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew password := d.Get("password").(string) if password == "" { - return nil, fmt.Errorf("missing password") + return nil, logical.ErrInvalidCredentials } // Get the user and validate auth diff --git a/changelog/28441.txt b/changelog/28441.txt new file mode 100644 index 000000000000..e78ed504af22 --- /dev/null +++ b/changelog/28441.txt @@ -0,0 +1,3 @@ +```release-note:bug +auth: Updated error handling for missing login credentials in AppRole and UserPass auth methods to return a 400 error instead of a 500 error. +``` diff --git a/vault/external_tests/delegated_auth/delegated_auth_test.go b/vault/external_tests/delegated_auth/delegated_auth_test.go index c50077ffe5f9..6eea412ecfea 100644 --- a/vault/external_tests/delegated_auth/delegated_auth_test.go +++ b/vault/external_tests/delegated_auth/delegated_auth_test.go @@ -327,7 +327,7 @@ func TestDelegatedAuth(t *testing.T) { path: "login", username: "allowed-est", password: "", - errorContains: "missing password", + errorContains: "invalid credentials", }, { name: "bad-path-within-delegated-auth-error",