incorrect requests return status code 200

[fgehrlicher]

Many endpoints return http status 200 in case of a faulty request (like wrong credentials or invalid recovery token). Is that behavior intended?

[aarondl]

This is when in api mode?

[fgehrlicher]

Yes i am using authboss as json api. The response indicates an error but still returns status 200.

json { "error": "Invalid Credentials", "modules": { "auth": true, "confirm": true, "lock": true, "logout": true, "recover": true, "register": true }, "status": "failure" }

[aarondl]

It's intentional. It's sort of a side effect from it being able to support both JSON and HTML Forms. In that that same error would be a 200 OK in an HTML Form response.

In our applications we'll simply do a conditional JSON parse, if "status": "true" key and value exist then we know to parse it as an authboss JSON error (mostly the format you're looking at there).

Authboss doesn't really try to be a restful API and use status codes to indicate problems with user information for application level issues, only request/protocol/server level issues (bad requests for an form post, internal server errors etc). Analyzing the response is the only way to know if something went wrong.

[fgehrlicher]

ok that reasonable. thank you for clarifying!

[frederikhors]

Is this related to https://github.com/volatiletech/authboss/issues/248, @fgehrlicher?