[#46305] - [5.4] Handle 401 Unauthorized error instead of throwing CRITICAL uncaught 500 server
- Fixed in Code Base
- 23 Oct 2025
- Medium
- Build: 5.4-dev
- # 46305
- Diff
- MarcelSchuermann:fix/45799-API-token-auth-fatal-error-on-invalid-token
User tests: Successful: Unsuccessful:
Pull Request for Issue #45799
Summary of Changes
Correctly handle 401 Unauthorized errors when calling a webservice API with a wrong formed token instead of throwing a CRITICAL uncaught 500 server error.
Testing Instructions
- Enable the "API Authentication - Token" plugin in a Joomla 5 installation.
- Configure a user with an API token f.e. in Postman.
- Make an API request using an Authorization: Bearer header, but provide a token that is deliberately malformed. For example, a token where the algorithm part is invalid (e.g., not-an-algo:123:abc...).
- The token can be constructed by base64 encoding a string like [ALGO]:[USER_ID]:[HMAC]. An invalid request can be triggered by using an algorithm that is not sha256 or sha512.
Actual result BEFORE applying this Pull Request
The server responds with a 500 Internal Server Error. The PHP error log shows a CRITICAL error: Uncaught Throwable of type ValueError thrown with message "hash_hmac(): Argument #1 ($algo) must be a valid cryptographic hashing algorithm".
Expected result AFTER applying this Pull Request
throw a correct error 401 response.
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
[x ] No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Front End Plugins |
| Title |
|
||||||
| Labels |
Added:
PR-5.4-dev
|
||
| Labels |
Added:
Webservices
|
||
I have tested this item ✅ successfully on 69203be
Tested JBT, PHP 8.4.13
- Correct token – HTTP status 200 OK
TOKEN=c2hhMjU2OjE4OTo0NjFiZjIyMDE2NDM4NjFlYWIyMTIwZmU3OTM1NGU5NzJlNzM2MTJmNDZhYmRhOTRlNzZlYmQyMGE4NzU0MjMx
curl --header "X-Joomla-Token:$TOKEN" 'http://localhost:7054/api/index.php/v1/content/articles'
- empty token – 401 Forbidden
- non-base64 string – 401 Forbidden
hello
- wrong algo – 500 Internal Server Error
echo $TOKEN | base64 --decode | sed s/sha256/sha257/ | base64
- wrong user id – 401 Forbidden
echo $TOKEN | base64 --decode | sed s/189/123/ | base64
- empty HMAC – 401 Forbidden
echo sha256:189: | base64
- wrong HMAC – 401 Forbidden
echo sha256:189:4711 | base64
- Applied PR with Patchtester
- Retested all cases, correct token is still working with 200, all others are now 401 Forbidden
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46305.
- Retested all cases, correct token is still working with 200, all others are now 401 Forbidden
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46305.
| Labels |
Added:
RTC
|
||
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2025-10-23 14:45:42 |
| Closed_By | ⇒ | richard67 |
Thanks @MarcelSchuermann for that fix, and @alikon and @muhme for testing.
I have tested this item ✅ successfully on c7ba4f6
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46305.