Deleting devices via API works fine if the device exists.
Trying to delete a device via API, which does not exist in Chirpstack, throws the following exception: Grpc.Core.RpcException: Status(StatusCode=“Unauthenticated”, Detail=“”)
This exception message was very irritating for me as it has nothing to do with authentication. Is this the expected behaviour? Is this reproducable for someone else? If so, I would suggest an improvement at this point, p.a throw a Status.Code=NotFound.
What would be the best practice way to check if a device exists prior to a delete attempt?
ChirpStack will first check if you have access to the device (returning Unauthenticated if this step fails)
Then it will delete the device
The issue is with the first step, e.g. it will test if with the given API Key, you have access to the given DevEUI you would like to delete. ChirpStack does not actually check if the device exists at this point. This query results with 0 and you get unauthenticated.
Depending how you look at this, this response might be good or bad. E.g. with this approach ChirpStack is not leaking if a device exists but you have no access to it.
Thanks @brocaar for this insight. I used a tenant API key which results in the described behavior. I only have one tenant, so the described security scenario does not apply for me. My workaround now is to use a network server API key, which throws the NotFound exception when a device does not exist.
Maybe I missed something, but are API behaviours like this one documented somewhere? Otherwise the gRPC exception “Detail” property might be useful to give further insight why this exception is thrown.
@bconway 's suggestion is justified, but on the other hand this message could lead to the illusion that a device with the queried Deveui exists. I would have been similarly irritated.
The question is answered and the topic can be closed.