Fix API auth crash and add more error messages

app/blueprints/api/auth.py

@@ -16,6 +16,7 @@
 
 from flask import request, make_response, jsonify, abort
 from app.models import APIToken
+from .support import error
 from functools import wraps
 
 def is_api_authd(f):
@@ -29,13 +30,13 @@ def is_api_authd(f):
 		elif value[0:7].lower() == "bearer ":
 			access_token = value[7:]
 			if len(access_token) < 10:
-				abort(400)
+				error(400, "API token is too short")
 
 			token = APIToken.query.filter_by(access_token=access_token).first()
 			if token is None:
-				abort(403)
+				error(403, "Unknown API token")
 		else:
-			abort(403)
+			abort(403, "Unsupported authentication method")
 
 		return f(token=token, *args, **kwargs)
 

app/blueprints/api/endpoints.py

@@ -143,19 +143,21 @@ def markdown():
 @is_package_page
 @is_api_authd
 def create_release(token, package):
+	if not token:
+		error(401, "Authentication needed")
+
 	if not package.checkPerm(token.owner, Permission.APPROVE_RELEASE):
-		return error(403, "You do not have the permission to approve releases")
+		error(403, "You do not have the permission to approve releases")
 
 	json = request.json
 	if json is None:
-		return error(400, "JSON post data is required")
+		error(400, "JSON post data is required")
 
 	for option in ["method", "title", "ref"]:
 		if json.get(option) is None:
-			return error(400, option + " is required in the POST data")
+			error(400, option + " is required in the POST data")
-
 
 	if json["method"].lower() != "git":
-		return error(400, "Release-creation methods other than git are not supported")
+		error(400, "Release-creation methods other than git are not supported")
 
 	return handleCreateRelease(token, package, json["title"], json["ref"])

app/blueprints/api/support.py

@@ -1,12 +1,12 @@
 from app.models import PackageRelease, db, Permission
 from app.tasks.importtasks import makeVCSRelease
 from celery import uuid
-from flask import jsonify, make_response, url_for
+from flask import jsonify, abort, url_for
 import datetime
 
 
 def error(status, message):
-	return make_response(jsonify({ "success": False, "error": message }), status)
+	abort(status, jsonify({ "success": False, "error": message }))
 
 
 def handleCreateRelease(token, package, title, ref):

app/flatpages/help/api.md

@@ -9,6 +9,8 @@ Authentication is done using Bearer tokens:
 
 You can use the `/api/whoami` to check authentication.
 
+Tokens can be attained by visiting "API Tokens" on your profile page.
+
 ## Endpoints
 
 ### Misc
@@ -16,7 +18,7 @@ You can use the `/api/whoami` to check authentication.
 * GET `/api/whoami/` - Json dictionary with the following keys:
 	* `is_authenticated` - True on successful API authentication
 	* `username` - Username of the user authenticated as, null otherwise.
-	* 403 will be thrown on unsupported authentication type, invalid access token, or other errors.
+	* 4xx status codes will be thrown on unsupported authentication type, invalid access token, or other errors.
 
 ### Packages