feat: Better warning for expired API Key

[bbernays]

Summary

---

Use the following steps to ensure your PR is ready to be reviewed

• Read the contribution guidelines 🧑‍🎓
• Run go fmt to format your code 🖊
• Lint your changes via golangci-lint run 🚨 (install golangci-lint here)
• Update or add tests 🧪
• Ensure the status checks below are successful ✅

[hermanschaaf]

I think you could also get a 403 if it's invalid, so maybe we can say

API Key invalid or may have expired. Please see the CloudQuery Console for details.

Better would be to return a specific message from the API if it has expired, and then telling the user so, but this would already be an improvement

[bbernays]

Agreed, That a server side message would be the best. But this at least gives users an initial troubleshooting step

[bbernays]

I'm also unsure of the security implications of revealing whether the key is valid/invalid/expired. I am not aware of any other APIs that will tell you if the the credentials are valid, but expired

[bbernays]

If the API key is invalid (ie they typed it in wrong or added an extra space) looking at the console doesn't tell them anything

[hermanschaaf]

I have seen other APIs that will tell you it's expired. I think it's okay, there's nothing an attacker can do with it anyway, and it's 99.9% of the time going to be useful to the legitimate owner to get that message

[disq]

https://github.com/cloudquery/cloud/blob/b830bf0f69a3e070b9ace1556f03e79d30eaf034/cloud/internal/server/middleware/auth.go#L142-L145 (internal link)

[bbernays]

So it seems like we already have a custom error message for expired tokens https://github.com/cloudquery/cloud/blob/b830bf0f69a3e070b9ace1556f03e79d30eaf034/platform/internal/response/response.go#L129C1-L130C1

[erezrokah]

What's left to do here? Do we print the correct message or not?

[erezrokah]

Closing as stale. Please re-open if needed