Wrong or misleading Server response with missing Header information

[Basti-Fantasti]

Hi,

by checking the JWT samples from the current DMVCFramework v3.4.2 RC1 I've stumbled across an issue:

I analyzed the jsonwebtoken_livevaliditywindow example When using the supplied VCL based JWTClient everything works as expected. It's possible to retrieve a token and to call the protected resource.

But when calling the same protected endpoint from e.g. HTTPie without logging in and without additional headers, the server sends a 404 Not found instead of the 401 Not Authorized

Also the route seems to be invalid, see here:

I analyzed the request from the VCL App with Wireshark and compared it to the one from HTTPie and found out that the missing header was the Accept */*

After sending this header information with the request, the correct `401 was shown and the log found the correct route.

Logging in and requesting the endpoint with a valid Bearer Token was also working afterwards.

The Public endpoint at /public could be called successfully without any additional headers.

[danieleteti]

The action you called (admin/role1) has [MVCProduces('text/html')] so you have to call it with accept: text/html to address it. If you don't put that header in the request, correctly, the server respond with a "Not Found" because such route doesn't exist.

[Basti-Fantasti]

Ah ok thanks for the feedback. I'll try to adjust the sample code to check the different outcomes 👍