Closed asib closed 5 years ago
That makes sense to me - authentication could rely on body content, so content negotiation should happen first. Also, content negotiation is less expensive to do than authentication.
But if you have a use case that is problematic for such order, please let us know :)
FWIW, this is the exact piece of code in servant where this is handled: https://github.com/haskell-servant/servant/blob/master/servant-server/src/Servant/Server/Internal/RoutingApplication.hs#L361
You can see the authD
bit is executed before we start looking at any content type.
@domenkozar Ahh yeh true, fair enough. Having thought about it a bit I don't think it really matters for my use case anyway, just took me by surprise.
Thank you for swift response and all the great work!
I have the following API:
When I send a request without an
Authorization: Bearer
header, if theContent-Type
isn'tapplication/json
, I get a415
response.Admittedly I'm no REST expert, so I could be totally off base in saying this, but that feels wrong to me. Shouldn't the authorisation always be checked before anything else? It seems odd to me that you can get a
415
before you get a401
. Is it possible I've set something up incorrectly, or is this expected behaviour?