Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Properly use the 401 and 403 HTTP status codes #6978

Merged
merged 1 commit into from
Jul 8, 2016
Merged

Properly use the 401 and 403 HTTP status codes #6978

merged 1 commit into from
Jul 8, 2016

Conversation

jsternberg
Copy link
Contributor

According to the HTTP standard, a lack of authentication credentials or
incorrect authentication credentials should send back a 401
(Unauthorized) with a WWW-Authenticate header with a challenge that
can be used to authenticate. This is because a 401 status should be sent
when an authentication attempt can be retried by the browser.

The 403 (Forbidden) status code should be sent when authentication
succeeded, but the user does not have the necessary authorization.
Previously, the server would always send a 401 status code.

Fixes #6959.

@nhaugo nhaugo added this to the 1.0.0 milestone Jul 7, 2016
@jsternberg jsternberg force-pushed the js-6959-403-forbidden-on-auth-failure branch from bdce9d7 to e821917 Compare July 7, 2016 21:51
corylanou
corylanou reviewed Jul 8, 2016
View reviewed changes
services/httpd/config.go
@@ -27,5 +28,6 @@ func NewConfig() Config {
HTTPSEnabled: false,
HTTPSCertificate: "/etc/ssl/influxdb.pem",
MaxRowLimit: DefaultChunkSize,
Realm: "InfluxDB",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: should this be a constant like DefaultRealm?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@corylanou
Copy link
Contributor

minor nit, otherwise +1

@jsternberg jsternberg force-pushed the js-6959-403-forbidden-on-auth-failure branch from e821917 to 58f204f Compare July 8, 2016 00:34
@jsternberg
Properly use the 401 and 403 HTTP status codes
7a3bd19 
According to the HTTP standard, a lack of authentication credentials or
incorrect authentication credentials should send back a 401
(Unauthorized) with a `WWW-Authenticate` header with a challenge that
can be used to authenticate. This is because a 401 status should be sent
when an authentication attempt can be retried by the browser.

The 403 (Forbidden) status code should be sent when authentication
succeeded, but the user does not have the necessary authorization.
Previously, the server would always send a 401 status code.
@jsternberg jsternberg force-pushed the js-6959-403-forbidden-on-auth-failure branch from 58f204f to 7a3bd19 Compare July 8, 2016 01:30
@jsternberg jsternberg merged commit 0e95f55 into master Jul 8, 2016
@jsternberg jsternberg deleted the js-6959-403-forbidden-on-auth-failure branch July 8, 2016 01:57
@PaulKuiper
Copy link

Great work. Thanks for the fast pickup of this issue!

@PaulKuiper PaulKuiper mentioned this pull request Sep 14, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.0.0
Development

Successfully merging this pull request may close these issues.
4 participants
@jsternberg @corylanou @PaulKuiper @nhaugo