Compojure incorrectly returns a body for an HEAD method on a 401 response.

weavejester / compojure

A concise routing library for Ring/Clojure

Eclipse Public License 1.0

4.08k stars 259 forks source link

Compojure incorrectly returns a body for an HEAD method on a 401 response. #203

Closed brown131 closed 2 years ago

brown131 commented 2 years ago

According to RFC-2616: "The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response. " (https://w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.4). However, when a HEAD method returns an HTTP 401 Unauthorized response it returns a body "access denied". This breaks, in particular, the Cyberduck client app, which expects the server to be well-behaved.

weavejester commented 2 years ago

Compojure doesn't handle authorisation. It sounds like the problem exists in some other middleware you're using.

brown131 commented 2 years ago

Yes. The issue appears to be in remvee/ring-basic-authorization. Sorry about that.