Distinguish between invalid API Key and incorrect TOTP 6-digit code?

[forevermatt]

For the /totp/{uuid}/validate endpoint, should we distinguish between an invalid API Key (currently set to return a 401 Unauthorized) and an incorrect 6-digit code (currently set to return a 401 Unauthorized)?

I think we have the following situations to consider:

• No matching API Key found
• No matching TOTP uuid found in that API Key record
• Incorrect TOTP code (aka. 6-digit number)

For an incorrect API Key, 401 seems fitting.

For requests with a valid API Key and an incorrect uuid, I could see a 404 being a possibly good option, though that might (in theory) enable people to discover valid API Keys be trying random values until they get a 404 instead of a 401 (as long as we're not validating the API Secret in any way). That said, there are approx. 10^48 possible values (20 Bytes of random data), so it's unlikely, and we can easily increase the number of Bytes.

For incorrect TOTP codes... I'm not sure what would be a good design. This is the one that really seems like it should be different, even if the other two scenarios both receive a 401.

@fillup / @wcjr / @Baggerone , thoughts?

[devon-sil]

Still seems worth addressing, but need to determine what.

[devon-sil]

Add to backlog.