SharedSecretAuthenticationProvider returns 500 instead of 401 for auth failures

[michaellwest]

Summary

SPE's remoting endpoint (/-/script/script/) returns HTTP 500 for authentication failures that should return 401. This makes it difficult for clients to distinguish auth configuration problems from genuine server errors.

Observed Behavior

Scenario	Actual Status	Expected Status
No auth header	401	401 ✓
Wrong shared secret	500	401
Wrong JWT audience	500	401
Valid auth, server error	500	500 ✓

When SharedSecretAuthenticationProvider fails to validate the HMAC signature or JWT audience, the exception appears to bubble up unhandled, causing IIS/Sitecore to return a generic 500 rather than a proper 401 Unauthorized.

Impact

• MCP clients (and any remoting consumer) cannot programmatically distinguish "your secret is wrong" from "the server crashed"
• Troubleshooting auth issues requires checking Sitecore server logs instead of the HTTP response
• Automated health checks and connection tests cannot provide targeted diagnostic hints

Suggested Fix

In SharedSecretAuthenticationProvider, catch signature/audience validation failures and return a 401 response with a descriptive message instead of letting the exception propagate. For example:

// Instead of throwing on validation failure:
if (!ValidateSignature(token, secret))
{
    context.Response.StatusCode = 401;
    context.Response.StatusDescription = "JWT signature validation failed";
    context.Response.End();
    return;
}

Environment

• SPE remoting tested against Sitecore 10.4.1
• Auth type: SharedSecret (HS256 JWT)
• Tested via the SPE MCP Server

[michaellwest]

Fixed in release/9.0 — commit 06ffc0d merged via fix/1421-auth-401-response.

ValidateToken now catches non-SecurityException failures (malformed base64, unsupported algorithm, deserialization errors) and returns false instead of letting them propagate as unhandled 500 responses. SecurityException is still re-thrown to preserve the DetailedAuthenticationErrors behavior for 401 responses.

No documentation changes needed — the config surface (Spe.config) is unchanged.