Generally don’t like to question closing a bug, but the reason given for closure doesn’t make sense to me and - if accurate - suggests a security issue.
The core issue here is that under Consul 1.8 an authorized query for a non-existent token yields a 403 (permission denied error) rather than a 404 (not found). Reason given for closing was this behavior was as designed in order to prevent an indirect means of finding out about tokens.
This doesn’t make sense to me given 1) the query was made using a token with master level privileges and 2) the returned error message is “ACL not found” (which certainly doesn’t obscure the fact that the token doesn’t exist).
So it seems to me that there is either a problem in that the API is returning a misleading error code which will require unnecessary and fragile work arounds (catch error, parse message, hope to god the error message never changes) or a security issue since the absence of the token is leaking.
Thx,
-steve