search

stormpath / stormpath-framework-spec

Language-agnostic API specification for Stormpath Framework Integrations
12 stars 14 forks source link

Return WWW-Authenticate challenge with 401 #81

Open nbarbettini opened 8 years ago

nbarbettini commented 8 years ago

We return 401 Unauthorized for protected routes (such as /me), and presumably for any routes that are protected by a requireAuthorization helper/filter.

According to RFC 2616,

The [401] response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.

This is likely low-prio/icebox, but I wanted to get it on the radar to discuss.

lhazlewood commented 8 years ago

+1 - we should always adhere to the HTTP spec. FWIW, this is the current spec:

https://tools.ietf.org/html/rfc7235#section-4.1