Rewrite error message for /keys endpoint when mellisearch is run without a master key

[akhildevelops]

GET /keys request fails on missing_authorization_header when Mellisearch is run without masterkey. This error makes sense only if Mellisearch is run with a master key.

Original Error message

{
    "message": "The Authorization header is missing. It must use the bearer authorization method.",
    "code": "missing_authorization_header",
    "type": "auth",
    "link": "https://docs.meilisearch.com/errors#missing_authorization_header"
}

It would easier to understand if the message can be shown as below
Expected Error message

The error message can be:

{
    "message": "Mellisearch is running without Master Key. Set the Master Key by following: https://docs.meilisearch.com/learn/security/master_api_keys.html#protecting-a-meilisearch-instance",
    "code": "no_master_key",
    "type": "auth",
    "link": "https://docs.meilisearch.com/errors#no_master_key"
}

[akhildevelops]

Even the docs suggest to set master key for interacting with Keys. https://docs.meilisearch.com/reference/api/keys.html#keys

[curquiza]

Hello @Enforcer007

Thanks for the suggestion

I think indicating the master key is not set could be really dangerous, but I might be wrong, WDYT @gmourier and @Kerollmops?

[Kerollmops]

We talked about that with @ManyTheFish, and thought that adding an error message that clearly explains the issue here isn't dangerous as an attacker will always try the dangerous routes. An instance without a master key is already running with zero security, so there is no way to make it more insecure.

However, one advantage of having a specific error message is to help the user understand what's wrong. I would see a new error code, missing_master_key, and an error message that looks like the one proposed.

Thank you @Enforcer007 for the proposal 👍

[gmourier]

I agree with @Kerollmops. Do we consider it to be an auth error here? If we consider it, 401 seems more suited than 403 imo.

Thanks, @Enforcer007.

[Kerollmops]

Indeed, I would say that a 401 response code is more suited than a 403 response code when the master key is missing.

[akhildevelops]

Hi @curquiza ,

I think it shouldn't be worrisome as :

• mellisearch will be mostly run in non production environments without setting master key.
• setting master key is enforced when running in a production environment therefore the Expected Error message will never occur.

Expected error message:

The error message can be:

{
    "message": "Mellisearch is running without Master Key. Set the Master Key by following: https://docs.meilisearch.com/learn/security/master_api_keys.html#protecting-a-meilisearch-instance",
    "code": "no_master_key",
    "type": "auth",
    "link": "https://docs.meilisearch.com/errors#no_master_key"
}

[curquiza]

Hello @Enforcer007 @gmourier and @Kerollmops

I moved this discussion to the product side for consistency (definitely a product discussion)
I created the corresponding spec to it: meilisearch/specifications#179

Everyone is welcome to review 😄
Once it will be approved, I will open an issue on Meilisearch side!

[gmourier]

Hey everyone 👋

I'm locking that discussion since it has been implemented with v0.30

Please open a new discussion if it's needed.

Thank you 🙇‍♂️