Issue 54850044: Change HTTP status to 401 when user needs to login.

Keyboard Shortcuts

	File
u :	up to issue
m :	publish + mail comments
M :	edit review message
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line
<Enter> :	respond to / edit current comment
d :	mark current comment as done

	Issue
u :	up to list of issues
m :	publish + mail comments
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue
# :	close issue

	Comment/message editing
<Ctrl> + s or <Ctrl> + Enter :	save comment
<Esc> :	cancel edit

Issue 54850044: Change HTTP status to 401 when user needs to login.

Can't Edit
Can't Publish+Mail
Start Review

Created:
11 years, 11 months ago by Andi

Modified:
11 years, 11 months ago

Reviewers:
iannucci

Visibility:
Public.

More Reviews

Description

Returning a HTTP 302 is impractical for APIs when called via JavaScript. The XMLHttpRequest specification requires that redirects are handled by XMLHttpRequest object and therefore are not seen by the script that called an URL that returns a 302. See http://www.w3.org/TR/2014/WD-XMLHttpRequest-20140130/#infrastructure-for-the-send()-method I've changed the NeedsLogin exception to return HTTP 401 with the login URL in payload and a hint in the WWW-Authenticate header which is required by the HTTP specification for this status code.

Patch Set 1 #

Total comments: 2

Created: 11 years, 11 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+19 lines, -19 lines)			Patch
M	framework/exceptions.py	View	1 chunk	+3 lines, -3 lines	2 comments	Download
M	test_expectations/codereview/api/accounts/me_httptest.yaml	View	1 chunk	+4 lines, -4 lines	0 comments	Download
M	test_expectations/codereview/api/accounts/multi_user_httptest.yaml	View	1 chunk	+4 lines, -4 lines	0 comments	Download
M	test_expectations/codereview/api/cas_entries/basic_put_httptest.yaml	View	1 chunk	+4 lines, -4 lines	0 comments	Download
M	test_expectations/codereview/api/issues/comments_httptest.yaml	View	1 chunk	+4 lines, -4 lines	0 comments	Download

Messages

Total messages: 3

Expand All Messages | Collapse All Messages

iannucci

Good point re: XHR, I wasn't thinking that far ahead. https://codereview.appspot.com/54850044/diff/1/framework/exceptions.py File framework/exceptions.py (right): https://codereview.appspot.com/54850044/diff/1/framework/exceptions.py#newcode69 ...

11 years, 11 months ago (2014-02-04 18:52:49 UTC) #2

Andi

11 years, 11 months ago (2014-02-04 19:47:04 UTC) #3

https://codereview.appspot.com/54850044/diff/1/framework/exceptions.py
File framework/exceptions.py (right):

https://codereview.appspot.com/54850044/diff/1/framework/exceptions.py#newcode69
framework/exceptions.py:69: self.HEADERS = {'WWW-Authenticate': 'Login at %s to
proceed.' % url}
On 2014/02/04 18:52:49, iannucci wrote:
> Hm, this isn't the right format for WWW-Authenticate though? Maybe an X
header?

No, it isn't. WWW-Authenticate is a MUST for 401, but the spec for the header
doesn't fit our needs AFAICT:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47
and the referenced spec for Basic and Digest auth
http://tools.ietf.org/html/rfc2617#section-3.2.1

I've had a look how other APIs do it. And they seem to work around this issue by
sending a 400 Bad Request (for example Twitter and Facebook) or a 403 Forbidden
(G+). Both don't match the spec for the status codes if taken literally :)

What do you think about using 403 then instead?

Expand All Messages | Collapse All Messages