search

lightninglabs / L402

lsat protocol specification
74 stars 17 forks source link

Error codes for HTTP? #11

Closed joemphilips closed 4 years ago

joemphilips commented 4 years ago

Hi.

While I've been implementing http server middleware for LSAT, I found no spec for sending an error message to a client when it fails to authenticate. (For grpc over http2 there is Grpc-Message header.)

Is there a plan to support something similar to OAuth 2.0 Error codes? Or should I just put arbitrary values to the WWW-Authenticate header like this.

WWW-Authenticate: LSAT macaroon="AGIAJEemVQUTEyNCR0exk7ek90Cg==", invoice="lnbc1500n1pw5kjhmpp5fu6xhthlt2vucmzkx6c7wtlh2r625r30cyjsfqhu8rsx4xpz5lwqdpa2fjkzep6yptksct5yp5hxgrrv96hx6twvusycn3qv9jx7ur5d9hkugr5dusx6cqzpgxqr23s79ruapxc4j5uskt4htly2salw4drq979d7rcela9wz02elhypmdzmzlnxuknpgfyfm86pntt8vvkvffma5qc9n50h4mvqhngadqy3ngqjcym5a", error_type="no_lsat_token_found", error_detaiils=""
guggero commented 4 years ago

The error code should always be 402 if the WWW-Authenticate header is sent:

Alongside the 402 status code, the server should specify the WWW-Authenticate header ([RFC7235], Section 4.1) field to indicate the LSAT authentication scheme and the macaroon needed for the client to form a complete LSAT.

If any other error happens, a 500 might be appropriate. But LSAT specifically only defines 402.