Please use meaningful HTTP Codes in different answers

louislam / uptime-kuma

A fancy self-hosted monitoring tool

https://uptime.kuma.pet

MIT License

55.28k stars 4.97k forks source link

Please use meaningful HTTP Codes in different answers #4740

Closed GAS85 closed 4 months ago

GAS85 commented 4 months ago

📑 I have found these related issues/pull requests

E.g. #3754

🏷️ Feature Request Type

API / automation options

🔖 Feature description

Use HTTP codes in API that are relevant to the action. E.g. currently everything is 200. Even when User tries to login with wrong User name or Password, answer on a POST Request will be 200 with body ok. But it is not ok :smile:.

✔️ Solution

Here answer should be 401 Unauthorized. This will help to improve service with e.g. Fail2ban or any status monitoring systems.

❓ Alternatives

No response

📝 Additional Context

No response

CommanderStorm commented 4 months ago

But 200 is correct:

Since Uptime Kuma is a single page application (SPA), technically the server always return index.html => 200 - OK.
the connection with the socket.io server is successfull => 200 - OK

We don't have a POST Request for the login field. Idk what you are talking about. The only POST (which is returning ok => you likely looked at this part) is happening as part of the socket.io workaround for broken websockets (i.e. the websocket upgrade mechanism): https://socket.io/docs/v3/how-it-works/#http-long-polling

This login information is send via the websocket connection (as the rest of the apps communication):

Screenshot from 2024-05-04 15-53-30

See https://github.com/louislam/uptime-kuma/issues/759 for another issue in the same.

CommanderStorm commented 4 months ago

This will help to improve service with e.g. Fail2ban [...]

Can you provide a CONCRETE example? Fail2ban reads logfiles and blocks ip adresses accoding to https://github.com/fail2ban/fail2ban => the status code should not matter

This will help to improve service with e.g. [...] any status monitoring systems.

Please provide further details.

GAS85 commented 4 months ago

I see, when Webservices are broken there is a POST Request:

Basically even in standard fail2ban package there are few services preconfigured with even exact 401 error:

And basically many more with some manual setup, e.g. Harden Nextcloud 17+ with Fail2Ban, GUI and WebDAV - Ubuntu 20.04

CommanderStorm commented 4 months ago

there are few services preconfigured with even exact 401 error

Well there are also a few configured with the messages that we already publish as noted in https://github.com/louislam/uptime-kuma/issues/3754#issuecomment-1722419358 See Bitwarden for example..

I don't see value in refactoring the login page to POST'ing with 200/401 responses. This should be solvable with the tools that we already supply...

GAS85 commented 4 months ago

This can work too, thanks 😀