[
https://issues.apache.org/jira/browse/COUCHDB-972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12965821#action_12965821
]
Benjamin Young commented on COUCHDB-972:
----------------------------------------
Important Note about option #1:
Futon's JS doesn't currently send an Accept header, and so (if option #1 is
implemented) would begin getting 302 responses rather than 401's which would
break the private database notifications. Instead, the Futon would output the
HTML from the destination of the 302.
> Unauthorized requests with(out) Accept: */* get different status codes
> ----------------------------------------------------------------------
>
> Key: COUCHDB-972
> URL: https://issues.apache.org/jira/browse/COUCHDB-972
> Project: CouchDB
> Issue Type: Bug
> Components: Futon, HTTP Interface
> Affects Versions: 1.0.1
> Reporter: Benjamin Young
> Assignee: Filipe Manana
> Priority: Minor
> Original Estimate: 0h
> Remaining Estimate: 0h
>
> Sending a GET request for any URL of private/secured database without an
> Accept header set returns a 302 Found status which redirects to the Futon's
> login page.
> Sending a GET request with an Accept: */* (which is conceptually the same)
> returns a 401 (as does setting Accept to anything else: application/json,
> etc).
> The 401 code is the prefered response, but the 302 is in use to load the
> HTML/JS-based login forms in Futon.
> The options I can see to fix this are:
> 1. Return 302 if Accept is set to */*, but return 401 for application/json
> (and possibly anything more specific).
> 2. Return 401 and load the Futon login page/system as the response body--some
> browsers/clients may still load the HTTP Auth form in addition to the HTML
> one in the body of the page.
> 3. Return 401 and let the browsers HTTP Auth form handle the login process.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
