Open leplatrem opened 6 years ago
Yes totally, if we have a Authorization header we shouldn't assume Anonymous
Actually I may have been confused, here is what we have:
➜ ~ http PUT https://kinto.dev.mozaws.net/v1/buckets/bam "Authorization: blabla"
HTTP/1.1 401 Unauthorized
Access-Control-Expose-Headers: Backoff, Retry-After, Content-Length, Alert
Connection: keep-alive
Content-Length: 110
Content-Type: application/json
Date: Thu, 27 Sep 2018 12:59:49 GMT
Server: nginx
WWW-Authenticate: Basic realm="Realm"
WWW-Authenticate: Bearer realm="Realm"
WWW-Authenticate: Basic realm="Realm"
WWW-Authenticate: Portier realm="Realm"
X-Content-Type-Options: nosniff
{
"code": 401,
"errno": 104,
"error": "Unauthorized",
"message": "Please authenticate yourself to use this endpoint."
}
However it is not the case on /v1/ :
$ http GET https://kinto.dev.mozaws.net/v1/ "Authorization: blabla"
HTTP/1.1 200 OK
Access-Control-Expose-Headers: Backoff, Retry-After, Content-Length, Alert
Connection: keep-alive
Content-Length: 2561
Content-Type: application/json
It isn't a authentication required endpoint however we might consider supporting it.
Ok, the test case would be this then:
➜ ~ echo '{"permissions":{"collection:create":["system.Everyone"]}}' | http PUT https://kinto.dev.mozaws.net/v1/buckets/bam -a admin:s3cret
HTTP/1.1 201 Created
Access-Control-Expose-Headers: Backoff, Retry-After, Content-Length, Alert
Connection: keep-alive
Content-Length: 194
Content-Type: application/json
Date: Thu, 27 Sep 2018 13:06:28 GMT
ETag: "1538053588434"
Last-Modified: Thu, 27 Sep 2018 13:06:28 GMT
Server: nginx
X-Content-Type-Options: nosniff
{
"data": {
"id": "bam",
"last_modified": 1538053588434
},
"permissions": {
"collection:create": [
"system.Everyone"
],
"write": [
"basicauth:cd075adfa24e28743a8435d594a8353132465e23eaeabfe4142e465e088c2ffa"
]
}
}
➜ ~ http PUT https://kinto.dev.mozaws.net/v1/buckets/bam/collections/bim "Authorization: blabla"
HTTP/1.1 201 Created
Access-Control-Expose-Headers: Backoff, Retry-After, Content-Length, Alert
Connection: keep-alive
Content-Length: 95
Content-Type: application/json
Date: Thu, 27 Sep 2018 13:06:39 GMT
ETag: "1538053599860"
Last-Modified: Thu, 27 Sep 2018 13:06:39 GMT
Server: nginx
X-Content-Type-Options: nosniff
{
"data": {
"id": "bim",
"last_modified": 1538053599860
},
"permissions": {
"write": [
"system.Everyone"
]
}
}
I am tempted to believe that we sometimes return a 403 where a 401 would be more appropriate.
For example, when an
Authorization
header is sent and no authentication method succeeds, we consider the user as anonymous. It is very likely that a 403 will be returned when trying to create a bucket or something.What if we return 401 when an
Authorization
header is sent and no authentication succeeds instead of considering the user as anonymous?Do we have authentication policies that rely on a header that is not
Authorization
? Do we want to support that?