Hi all, I'm experimenting problem with the current method used when authentification fail. If you pass worng authentificatino headre you are redirected to an html page asking for credention. So technically we do :
401 -> 302 -> 200 Which is wrong if we follow the spec. "The response MUST include a WWW-Authenticate header field [..] [1] . It also introduce some bugs, try for example to create a database when not logged. The reason we use a 302 actually is for couchapps. I think we should change that behavior: 1. Provide appropriate HTTP response by default 2. Use the tricks of cookie auth (specific header) to let the CouchApps access to CouchDB. Something like "X-Auth-..." headre in the request that notify us we need to send a response that will not raises the dialog box in browsers. Thoughts ? [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2 - benoƮt