No route found - exposing too much information?

[jonasao]

By mistake, I tried to authenticate against a route in our application that did not exist, and was a bit "overwhelmed" by the response.

To me it seems that the information returned by the Chalice app contains too much information.
As I tried to authenticate using an Authorization Bearer token, the complete token was "echoed" back along with several indicators of what I might have been doing wrong.

Example (wrapped for readability-reasons):

{
    "message": "Authorization header requires 'Credential' parameter. 
      Authorization header requires 'Signature' parameter. 
      Authorization header requires 'SignedHeaders' parameter. 
      Authorization header requires existence of either a 'X-Amz-Date' or a 'Date' header. 
      Authorization=Bearer ey....nfg"
}

Wouldn't it have been easier just to tell the user that "..the requested route does not exist"?

Traced this to the LocalGateway.handle_request() method. I see that this is supposed to mirror the behavior of the API Gateway, which returns an even worse response. Would it be possible to override this, only return a simple message? ..and the more detailed if the Chalice app is running in debug mode?

Steps to reproduce:

1. Configure a route, e.g. ..../users/{id}
2. Configure the route such as it accepts an empty id value.
3. Request the route with id - works as expected
4. Request the route without id - works as expected
5. Request the route .../users (without the trailing slash) - returns the message mentioned above.

[JordonPhillips]

Thanks for reporting! Your reproduction steps were very helpful, I was able to easily reproduce your second issue. We should definitely update to be more consistent with apigateway in that regard. Here's a full sample that reproduces it:

from chalice import Chalice

app = Chalice(app_name='routing')


@app.route('/users/{user_id}')
def get_user(user_id):
    if user_id:
        return {'id': user_id}
    return {'id': None}

Then I made calls to apigateway after I deployed:

> http $(chalice url)/users
HTTP/1.1 403 Forbidden
Content-Length: 42
Content-Type: application/json
Date: Fri, 27 Oct 2017 19:21:46 GMT
Via: 1.1 fb9b30d0bac34e91aef1c344524376e1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: OWNlHHenFllsa-M8Yq3pnu0sTuYgJx4EiDpM_DqznWQkyDD2SJFYRA==
X-Cache: Error from cloudfront
x-amzn-ErrorType: MissingAuthenticationTokenException
x-amzn-RequestId: 13034731-bb4c-11e7-a14d-65649fab737d

{
    "message": "Missing Authentication Token"
}

> http $(chalice url)/users/
HTTP/1.1 403 Forbidden
Connection: keep-alive
Content-Length: 42
Content-Type: application/json
Date: Fri, 27 Oct 2017 19:21:50 GMT
Via: 1.1 b08d3fd1ea7c0f4b62f5adbb976ab099.cloudfront.net (CloudFront)
X-Amz-Cf-Id: uP6yuuZIVE3G-t2Ha_fbsD1XcOYltTmrBMQXVgqCEewapc-DykbY4Q==
X-Cache: Error from cloudfront
x-amzn-ErrorType: MissingAuthenticationTokenException
x-amzn-RequestId: 15362cb5-bb4c-11e7-902c-45cb034b784f

{
    "message": "Missing Authentication Token"
}

Then the calls to chalice local:

> http localhost:8000/users
HTTP/1.1 403 Forbidden
Content-Length: 43
Content-Type: application/json
Date: Fri, 27 Oct 2017 19:23:40 GMT
Server: BaseHTTP/0.6 Python/3.6.2
x-amzn-ErrorType: UnauthorizedException
x-amzn-RequestId: 8fdb0f2a-b930-4eee-a6ce-c57a5d556ecf

{
    "message": "Missing Authentication Token"
}

> http localhost:8000/users/
HTTP/1.1 200 OK
Content-Length: 12
Content-Type: application/json
Date: Fri, 27 Oct 2017 19:23:47 GMT
Server: BaseHTTP/0.6 Python/3.6.2

{
    "id": null
}

As for the verbosity of the error message, I would prefer that we keep it as close to apigateway's behavior as possible. That said, we should probably look into supporting custom gateway responses, which would let you do that. We'll need to think about exactly how we want to expose those.