Why does authorisation happen after e.g. ensuring correct content type?

[asib]

I have the following API:

type API = Auth auths User :> "users"
                           :> ReqBody '[JSON] User
                           :> PostCreated '[JSON] UserId

When I send a request without an Authorization: Bearer header, if the Content-Type isn't application/json, I get a 415 response.

Admittedly I'm no REST expert, so I could be totally off base in saying this, but that feels wrong to me. Shouldn't the authorisation always be checked before anything else? It seems odd to me that you can get a 415 before you get a 401. Is it possible I've set something up incorrectly, or is this expected behaviour?

[domenkozar]

That makes sense to me - authentication could rely on body content, so content negotiation should happen first. Also, content negotiation is less expensive to do than authentication.

But if you have a use case that is problematic for such order, please let us know :)

[alpmestan]

FWIW, this is the exact piece of code in servant where this is handled: https://github.com/haskell-servant/servant/blob/master/servant-server/src/Servant/Server/Internal/RoutingApplication.hs#L361

You can see the authD bit is executed before we start looking at any content type.

[asib]

@domenkozar Ahh yeh true, fair enough. Having thought about it a bit I don't think it really matters for my use case anyway, just took me by surprise.

Thank you for swift response and all the great work!