Skip to content

[5.4] Handle 401 Unauthorized error instead of throwing CRITICAL uncaught 500 server #46305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: 5.4-dev
Choose a base branch
from
Open

[5.4] Handle 401 Unauthorized error instead of throwing CRITICAL uncaught 500 server #46305

wants to merge 2 commits into from
+11 −0

Conversation

MarcelSchuermann
Copy link

Pull Request for Issue #45799

Summary of Changes

Correctly handle 401 Unauthorized errors when calling a webservice API with a wrong formed token instead of throwing a CRITICAL uncaught 500 server error.

Testing Instructions

  1. Enable the "API Authentication - Token" plugin in a Joomla 5 installation.
  2. Configure a user with an API token f.e. in Postman.
  3. Make an API request using an Authorization: Bearer header, but provide a token that is deliberately malformed. For example, a token where the algorithm part is invalid (e.g., not-an-algo:123:abc...).
  4. The token can be constructed by base64 encoding a string like [ALGO]:[USER_ID]:[HMAC]. An invalid request can be triggered by using an algorithm that is not sha256 or sha512.

Actual result BEFORE applying this Pull Request

The server responds with a 500 Internal Server Error. The PHP error log shows a CRITICAL error: Uncaught Throwable of type ValueError thrown with message "hash_hmac(): Argument #1 ($algo) must be a valid cryptographic hashing algorithm".

Expected result AFTER applying this Pull Request

throw a correct error 401 response.

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • [x ] No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

@richard67 richard67 mentioned this pull request Oct 16, 2025
Closed
@richard67 richard67 changed the title handle 401 Unauthorized error instead of throwing CRITICAL uncaught 500 server [5.4] Handle 401 Unauthorized error instead of throwing CRITICAL uncaught 500 server Oct 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

PR-5.4-dev

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MarcelSchuermann @joomla-cms-bot