On Nov 11, 2011, at 08:22 , Dave Cottlehuber wrote: > On 30 October 2011 09:48, Benoit Chesneau <bchesn...@gmail.com> wrote: >> Hi all, >> >> I'm starting to hate our authentication system. We have now an >> authentication system which default behaviour is to answer to browsers >> or ajax calls. Ie we redirect on fail login. Last change for example >> in cookie auth make the API raises a 401 only when fail parameter is >> given in the uri. >> >> While this default behaviour may be good for some couchapps, I would >> prefer that the default behaviour would be a full HTTP behaviour, so >> we can consider coudhdb as full store. Also this system doesn't work >> well in some couchapps too. So I propose to have this default HTTP >> behaviour >> >> - forbidden -> raise 403 and return a body >> - unauthenticated -> raise 401 and return a body >> >> And that's all. Redirection should be in my opinion something either >> forced in the settings or via a url params (or headers). That can be >> both. Although, I'm not sure why we have redirection here when we >> could have depending on the Accept header either a json or an html >> page. Anyway, making this redirection something that must be forced is >> something I would like to introduce for 2.0x. >> >> Thoughts ? >> >> - benoƮt >> > > +1 in principle. What might this break?
It'd break CouchApps that expect the redirect by default. For the sake of not breaking API's I'd suggest a config setting that enables Benoit's proposed behaviour that we can make the default for 2.0. Cheers Jan --
