search

semiotproject / semiot-platform

SemIoT Platform
http://semiot.ru
MIT License
8 stars 1 forks source link

Being asked from another domain, API for current user returns 204 code instead of 401 #177

Closed soylent-grin closed 8 years ago

soylent-grin commented 8 years ago

204 is in OK group of HTTP response codes, and this confuses API consumer whether the query is succeeded or failed.

soylent-grin commented 8 years ago

Now all unathorized requests are redirecting to login page, returning 200 OK code:

Request:

URL:http://demo.semiot.ru/systems
Request Method:GET
Status Code:200 OK
Remote Address:77.234.222.6:80

Response:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
Access-Control-Allow-Methods:GET, POST, OPTIONS
Access-Control-Allow-Origin:*
Cache-Control:no-cache, no-store, must-revalidate
Cache-Control:no-cache, no-store, must-revalidate
Connection:keep-alive
Content-Length:3307
Content-Type:text/html;charset=ISO-8859-1
Date:Sun, 01 May 2016 07:09:51 GMT
Expires:0
Expires:0
Link:<http://demo.semiot.ru/doc> rel="http://www.w3.org/ns/hydra/core#apiDocumentation"
Pragma:no-cache
Pragma:no-cache
Server:nginx/1.9.14
Set-Cookie:JSESSIONID=U4U3TWZWmOK-Sck0GQVuXBkZH26BH-LctOygV876.e866d1285bb6; path=/
X-Powered-By:Undertow/1

BTW, some headers (Expires for exampe) are duplicated.

All requests to API must return 401 code, not redirect to login page.

KMax commented 8 years ago

All requests to API must return 401 code, not redirect to login page.

Why 401, but not 403? Is there a specification which we could follow?

soylent-grin commented 8 years ago

401 means that user is not authorized at all, whle 403 means user is authorized but have not enough permissions for some action - see more http://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses To be precise, 401 must be sent if no user was assotiated with request, when 403 must be sent when user with user role is trying to make some configuration actions, that are only allowed for admin role.

soylent-grin commented 8 years ago

Issue is reopened because of, I think, servlet logic, that handle any 4xx return code by redirecting to login page. Best of all would be redirect to login page on unauthorized request to UI pages (but with correct HTTP code, not 200), and just return HTTP code (maybe with some claryfying text, without redirect) on unauthorized requests to API - this is common practice.

KMax commented 8 years ago

401 means that user is not authorized at all, whle 403 means user is authorized but have not enough permissions for some action

I'm not sure that it's applicable to the form-based auth, which we currently use. But I agree with it for basic auth which we do not support right now, I didn't find a spec for the form-based auth, but wikipedia could be enough [0]. And spec for the basic auth is [1].

0: https://en.wikipedia.org/wiki/HTTP%2BHTML_form-based_authentication 1: https://tools.ietf.org/html/rfc2617