[ https://issues.apache.org/jira/browse/COUCHDB-972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12965769#action_12965769 ]
Gabriel Farrell commented on COUCHDB-972: ----------------------------------------- I vote for the third option. A straight 401 is the correct response. > Unauthorized requests with(out) Accept: */* get different status codes > ---------------------------------------------------------------------- > > Key: COUCHDB-972 > URL: https://issues.apache.org/jira/browse/COUCHDB-972 > Project: CouchDB > Issue Type: Bug > Components: Futon, HTTP Interface > Affects Versions: 1.0.1 > Reporter: Benjamin Young > Assignee: Filipe Manana > Priority: Minor > > Sending a GET request for any URL of private/secured database without an > Accept header set returns a 302 Found status which redirects to the Futon's > login page. > Sending a GET request with an Accept: */* (which is conceptually the same) > returns a 401 (as does setting Accept to anything else: application/json, > etc). > The 401 code is the prefered response, but the 302 is in use to load the > HTML/JS-based login forms in Futon. > The options I can see to fix this are: > 1. Return 302 if Accept is set to */*, but return 401 for application/json > (and possibly anything more specific). > 2. Return 401 and load the Futon login page/system as the response body--some > browsers/clients may still load the HTTP Auth form in addition to the HTML > one in the body of the page. > 3. Return 401 and let the browsers HTTP Auth form handle the login process. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.