search

Kinto / kinto

A generic JSON document store with sharing and synchronisation capabilities.
http://docs.kinto-storage.org/
Other
4.33k stars 421 forks source link

401 versus 403 #1782

Open leplatrem opened 6 years ago

leplatrem commented 6 years ago

I am tempted to believe that we sometimes return a 403 where a 401 would be more appropriate.

For example, when an Authorization header is sent and no authentication method succeeds, we consider the user as anonymous. It is very likely that a 403 will be returned when trying to create a bucket or something.

What if we return 401 when an Authorization header is sent and no authentication succeeds instead of considering the user as anonymous?

Do we have authentication policies that rely on a header that is not Authorization ? Do we want to support that?

Natim commented 6 years ago

Yes totally, if we have a Authorization header we shouldn't assume Anonymous

leplatrem commented 6 years ago

Actually I may have been confused, here is what we have:

➜  ~ http PUT https://kinto.dev.mozaws.net/v1/buckets/bam "Authorization: blabla"
HTTP/1.1 401 Unauthorized
Access-Control-Expose-Headers: Backoff, Retry-After, Content-Length, Alert
Connection: keep-alive
Content-Length: 110
Content-Type: application/json
Date: Thu, 27 Sep 2018 12:59:49 GMT
Server: nginx
WWW-Authenticate: Basic realm="Realm"
WWW-Authenticate: Bearer realm="Realm"
WWW-Authenticate: Basic realm="Realm"
WWW-Authenticate: Portier realm="Realm"
X-Content-Type-Options: nosniff

{
    "code": 401,
    "errno": 104,
    "error": "Unauthorized",
    "message": "Please authenticate yourself to use this endpoint."
}
Natim commented 6 years ago

However it is not the case on /v1/ : 

$ http GET https://kinto.dev.mozaws.net/v1/ "Authorization: blabla"
HTTP/1.1 200 OK
Access-Control-Expose-Headers: Backoff, Retry-After, Content-Length, Alert
Connection: keep-alive
Content-Length: 2561
Content-Type: application/json
Natim commented 6 years ago

It isn't a authentication required endpoint however we might consider supporting it.

leplatrem commented 6 years ago

Ok, the test case would be this then:

➜  ~ echo '{"permissions":{"collection:create":["system.Everyone"]}}' | http PUT https://kinto.dev.mozaws.net/v1/buckets/bam -a admin:s3cret
HTTP/1.1 201 Created
Access-Control-Expose-Headers: Backoff, Retry-After, Content-Length, Alert
Connection: keep-alive
Content-Length: 194
Content-Type: application/json
Date: Thu, 27 Sep 2018 13:06:28 GMT
ETag: "1538053588434"
Last-Modified: Thu, 27 Sep 2018 13:06:28 GMT
Server: nginx
X-Content-Type-Options: nosniff

{
    "data": {
        "id": "bam",
        "last_modified": 1538053588434
    },
    "permissions": {
        "collection:create": [
            "system.Everyone"
        ],
        "write": [
            "basicauth:cd075adfa24e28743a8435d594a8353132465e23eaeabfe4142e465e088c2ffa"
        ]
    }
}
➜  ~ http PUT https://kinto.dev.mozaws.net/v1/buckets/bam/collections/bim "Authorization: blabla"                                           
HTTP/1.1 201 Created
Access-Control-Expose-Headers: Backoff, Retry-After, Content-Length, Alert
Connection: keep-alive
Content-Length: 95
Content-Type: application/json
Date: Thu, 27 Sep 2018 13:06:39 GMT
ETag: "1538053599860"
Last-Modified: Thu, 27 Sep 2018 13:06:39 GMT
Server: nginx
X-Content-Type-Options: nosniff

{
    "data": {
        "id": "bim",
        "last_modified": 1538053599860
    },
    "permissions": {
        "write": [
            "system.Everyone"
        ]
    }
}