fix(server): send 404 on missing api endpoints instead of 405 (#1806)

Returns a 404 instead of 405 on bad API endpoints. The original issue was resolved in 3487fd392e however this resolves another issue that's related. Additionally this ensures the behavior is tested.
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>

Fixes #1520
Closes #1534

internal/server/server.go

@@ -53,7 +53,7 @@ func StartServer(configuration schema.Configuration, providers middlewares.Provi
 	}
 
 	r.GET("/static/{filepath:*}", embeddedFS)
-	r.GET("/api/{filepath:*}", embeddedFS)
+	r.ANY("/api/{filepath:*}", embeddedFS)
 
 	r.GET("/api/health", autheliaMiddleware(handlers.HealthGet))
 	r.GET("/api/state", autheliaMiddleware(handlers.StateGet))

internal/suites/scenario_backend_protection_test.go

@@ -35,7 +35,7 @@ func (s *BackendProtectionScenario) AssertRequestStatusCode(method, url string,
 		}
 		res, err := client.Do(req)
 		s.Assert().NoError(err)
-		s.Assert().Equal(res.StatusCode, expectedStatusCode)
+		s.Assert().Equal(expectedStatusCode, res.StatusCode)
 	})
 }
 
@@ -55,6 +55,16 @@ func (s *BackendProtectionScenario) TestProtectionOfBackendEndpoints() {
 	s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/secondfactor/totp/identity/finish", AutheliaBaseURL), 403)
 }
 
+func (s *BackendProtectionScenario) TestInvalidEndpointsReturn404() {
+	s.AssertRequestStatusCode("GET", fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), 404)
+	s.AssertRequestStatusCode("HEAD", fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), 404)
+	s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/not_existing", AutheliaBaseURL), 404)
+
+	s.AssertRequestStatusCode("GET", fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), 404)
+	s.AssertRequestStatusCode("HEAD", fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), 404)
+	s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), 404)
+}
+
 func TestRunBackendProtection(t *testing.T) {
 	suite.Run(t, NewBackendProtectionScenario())
 }