Sending a PUT request on a Trello board endpoint with a missing token returns a 400 Bad Request instead of a 401 Unauthorized

XMLWordPrintable

    • Severity 3 - Minor

      Issue Summary

      When sending a PUT request to https://api.trello.com/1/boards/\{boardId} with the token parameter missing and an invalid board-id, the API validates the board ID before checking authentication. This results in a 400 Bad Request: invalid id response, when the expected behavior would be to validate authentication first and return a 401 Unauthorized error due to the missing token.

      In order to fix this scenario, we recommend that the following validation order be executed for Trello API endpoints:

      1. Authorization
      2. ID
      3. QueryParam/Body/Payload

      Steps to Reproduce

      1. Obtain a valid Trello API Key (no token).
      2. Send a PUT request to the boards endpoint using an invalid board ID and only the API Key: PUT https://api.trello.com/1/boards/<invalid_board_id>?key={apiKey}&name=TestBoard
      3. Observe the response status and body.

      This issue is also reproducible for other endpoints that require a board/card IDs as a parameter.

       

      Expected Results

      The API should first validate authentication and return an HTTP 401 Unauthorized response.

      Actual Results

      The API validates the board ID before checking for a valid token and returns:

      HTTP 400 Bad Request
"invalid id"

      Workaround

      None. Ensure both a valid API Key and Token are always provided in requests to avoid hitting this validation order issue.

              Assignee:
              Unassigned
              Reporter:
              Alisson Dalmago
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: