From 647a0183626042f29834c3b4dd8dbba88a799c4c Mon Sep 17 00:00:00 2001
From: Kagami Sascha Rosylight <saschanaz@outlook.com>
Date: Mon, 27 Feb 2023 10:01:43 +0100
Subject: [PATCH] fix(backend): return HTTP 404 for any unknown api endpoint
 paths (#10130)

* fix(backend): return HTTP 400 for any invalid api endpoint paths

* 404
---
 cypress/e2e/api.cy.js                         | 11 ++++++++++
 .../src/server/api/ApiServerService.ts        | 20 +++++++++++++++++--
 2 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 cypress/e2e/api.cy.js

diff --git a/cypress/e2e/api.cy.js b/cypress/e2e/api.cy.js
new file mode 100644
index 0000000000..00df987bfc
--- /dev/null
+++ b/cypress/e2e/api.cy.js
@@ -0,0 +1,11 @@
+describe('API', () => {
+	it('returns HTTP 404 to unknown API endpoint paths', () => {
+		cy.request({
+			url: '/api/foo',
+			failOnStatusCode: false,
+		}).then((response) => {
+			expect(response.status).to.eq(404);
+			expect(response.body.error.code).to.eq('UNKNOWN_API_ENDPOINT');
+		});
+	});
+});
diff --git a/packages/backend/src/server/api/ApiServerService.ts b/packages/backend/src/server/api/ApiServerService.ts
index 2b99da01b6..501ce63877 100644
--- a/packages/backend/src/server/api/ApiServerService.ts
+++ b/packages/backend/src/server/api/ApiServerService.ts
@@ -79,7 +79,7 @@ export class ApiServerService {
 						reply.send();
 						return;
 					}
-		
+
 					this.apiCallService.handleMultipartRequest(ep, request, reply);
 				});
 			} else {
@@ -93,7 +93,7 @@ export class ApiServerService {
 						reply.send();
 						return;
 					}
-		
+
 					this.apiCallService.handleRequest(ep, request, reply);
 				});
 			}
@@ -160,6 +160,22 @@ export class ApiServerService {
 			}
 		});
 
+		// Make sure any unknown path under /api returns HTTP 404 Not Found,
+		// because otherwise ClientServerService will return the base client HTML
+		// page with HTTP 200.
+		fastify.get('*', (request, reply) => {
+			reply.code(404);
+			// Mock ApiCallService.send's error handling
+			reply.send({
+				error: {
+					message: 'Unknown API endpoint.',
+					code: 'UNKNOWN_API_ENDPOINT',
+					id: '2ca3b769-540a-4f08-9dd5-b5a825b6d0f1',
+					kind: 'client',
+				},
+			});
+		});
+
 		done();
 	}
 }