GET /_security/api_key?name=any_key returns 200 when no key present

ES Version: 7.15.2 and prior

The /_security/api_key api returns a 200 response code even when the requested key does not exists.

Example:

curl -X GET "https://172.19.18.17:9200/_security/api_key?name=bobs_key" -u elastic:changeme --insecure
{"api_keys":[]}
curl -i -X GET "https://172.19.18.17:9200/_security/api_key?name=bobs_key" -u elastic:changeme --insecure
HTTP/1.1 200 OK
X-elastic-product: Elasticsearch
content-type: application/json; charset=UTF-8
content-length: 15

{"api_keys":[]}

This prevents programmatic determination if a key exists as all queries for implicit or explicit keys by their name return a 200 status code. It should be possible to determine if a key exists by the status code when requesting via the API for a key by name and not relying on parsing a null set.
After the key is created, the response code is the same:

 curl -X GET "https://172.19.18.17:9200/_security/api_key?name=bobs_key" -u elastic:changeme --insecure
{"api_keys":[{"id":"VTRudn0Bwr2FyyO2_JlK","name":"bobs_key","creation":1638369524771,"invalidated":false,"username":"elastic","realm":"reserved","metadata":{}}]}
curl -i -X GET "https://172.19.18.17:9200/_security/api_key?name=bobs_key" -u elastic:changeme --insecure
HTTP/1.1 200 OK
X-elastic-product: Elasticsearch
content-type: application/json; charset=UTF-8
content-length: 161

{"api_keys":[{"id":"VTRudn0blahhh2F2_JlK","name":"bobs_key","creation":1638369524771,"invalidated":false,"username":"elastic","realm":"reserved","metadata":{}}]}[

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.