Inconsistent 404 responses for endpoints hidden by `operator_features` restrictions

[eddyashton]

There's a big section of code in frontend.h:find_endpoint to populate 404 reponses, also handling the case where we have a matching path but not a matching HTTP method (/verb), to respond to OPTIONS queries or fill a Method not allowed response.

But if we decide not to execute an endpoint because of a missing operator feature, we take a totally separate path later, returning a blank 404 with no body or further details.

This is an annoying inconsistency, but will be worse if we want to treat operator_features as properly hiding endpoints. If distinguishing non-implemented from non-visible endpoints has any security value, this breaks it.

We should make these consistent, by pushing the operator_features check into find_endpoint(). This is non-trivial because of the Method not allowed handling. We probably need to change the interaction between the frontend and the endpoints, returning a set of endpoints that match the path and then filtering by method (or feature) ourselves.

[achamayou]

This is an annoying inconsistency, but will be worse if we want to treat operator_features as properly hiding endpoints. If distinguishing non-implemented from non-visible endpoints has any security value, this breaks it.

I am not sure that there is security value in hiding these endpoints, it's fairly easy to establish their existence from the public source code. I think they're a DoS mitigation feature, not a security mechanism.