Closed martinrotter closed 8 years ago
@LukasReschke can we fix this in core?
Right, solution should be to add this header if an @CORS annotation is found (since we don't have a generic api interface yet)
@martinrotter can you reopen and link this issue in core? Thanks!
Okay, I will.
IMPORTANT
Read and tick the following checkbox after you have created the issue or place an x inside the brackets ;)
Explain the Problem
When someone sends /items/star/multiple request without BASIC auth credentials, HTTP 401 response does not contain WWW-authenticate header.
Steps to Reproduce
Explain what you did to encounter the issue
This is not standard behavior. Server should always indicate which method of authentication it expects when authentication fails and 401 is returned. This literally breaks some existing libraries - for example Qt Network stack, where you have to explicitly append Authentication header and not to wait for server's answer. All API calls must return WWW-authenticate header when HTTP/401 response is returned.
From standard RFC 1945:
Contents of Browser Error Console
Read http://ggnome.com/wiki/Using_The_Browser_Error_Console if you are unsure what to put here