Registry returns 403 (Missing Authentication Token) when URL is incomplete

[rumenvasilev]

Drop any part of the URI path (in the example here, the last bit which is arch) and you get HTTP 403 (forbidden) instead of 400 (bad request). Response body is also misleading. There's no authentication with the registry.

// EDIT, the issue is observed with the module path as well, example here with removed type field -> https://registry.opentofu.org/v1/providers/hashicorp/versions

$ curl -v https://registry.opentofu.org/v1/providers/hashicorp/aws/5.20.1/download/darwin/

*   Trying 18.66.147.95:443...
* Connected to registry.opentofu.org (18.66.147.95) port 443 (#0)
...
> GET /v1/providers/hashicorp/aws/5.20.1/download/darwin/ HTTP/2
> Host: registry.opentofu.org
> User-Agent: curl/8.1.2
> Accept: */*
> 
< HTTP/2 403 
< content-type: application/json
< content-length: 42
< date: Wed, 25 Oct 2023 09:52:23 GMT
< x-amzn-requestid: c1330785-121a-4eaf-b145-4e12088e1a79
< x-amzn-errortype: MissingAuthenticationTokenException
< x-amz-apigw-id: NWjFvEtrjoEEGRQ=
< x-amzn-trace-id: Root=1-6538e557-23ce7bec17f730f66f245a86
< x-cache: Error from cloudfront
< via: 1.1 24fc4e03b1de2a14f79be2422e46a318.cloudfront.net (CloudFront)
< x-amz-cf-pop: FRA60-P4
< x-amz-cf-id: usKvOCbE_rYj-tAVzxlns9n7q6bHnOeavlSFtn-3PFExMm9J6B3vnA==
< 
* Connection #0 to host registry.opentofu.org left intact
{"message":"Missing Authentication Token"}

[Yantrio]

I actually think these should throw a 404 not found, and not a 400.

These errors are thrown directly by AWS API gateway and we should probably configure this correctly to throw a 404.

[rumenvasilev]

404 would be not found. Which is not what happens here. The request itself is wrong hence my suggestion to switch to 400.

[dylanmtaylor]

https://registry.opentofu.org should probably have some sort of informational landing page