Return 401 Unauthorized instead of 403 Forbidden on HMAC auth failure
#31
Comments
|
Note that RFC's say that you MUST send the ycmd currently doesn't do this, but I have a branch where I'm working on adding it. My
@vheon Similar for JediHTTP. Needs a from bottle import HTTPError
...
def RespondWithUnauthorized():
_logger.info( 'Dropping request with bad Host header.' )
error = HTTPError( httplib.UNAUTHORIZED,
'Unauthorized, received bad Host header.' )
error.add_header( _WWW_AUTH_HEADER, _WWW_AUTH_MESSAGE )
raise errorVerified to work. |
|
Thanks for filing the issue; i'll fix this today. I went to peak at your ycmd branch to see what challenge you were returning, but it appears to have not been pushed for several days. |
|
Yeah the branch I'm talking about is still on my workstation. I need to write tests for our hmac middleware and that will take time I don't have right now (I'm porting ycmd to run on Python 2 & 3). But I quote the "challenge" above. It's literally the quoted text. |
So we should return the instruction on the authorization? It wasn't clear for me 😭 |
|
The RFC is unclear beyond that the response must have WWW-Authentication header with info on how to authenticate. There's a specific scheme when using HTTP Basic Auth, but we aren't, so the value is whatever we want it to be. |
Racerd currently returns a 403 on HMAC failure instead of a 401. The 401 makes more sense; the request was unauthorized. 403 means the user has been authenticated but his level of access is not sufficient to access this resource.
Both ycmd and JediHTTP work use a 401.
Relevant SO answer which goes into more detail.
Put more simply, 401 is authentication failure whereas 403 is authorization failure.
The text was updated successfully, but these errors were encountered: