Keyboard Shortcuts
File
u :up to issue
m :publish + mail comments
M :edit review message
j / k :jump to file after / before current file
J / K :jump to next file with a comment after / before current file
Side-by-side diff
i :toggle intra-line diffs
e :expand all comments
c :collapse all comments
s :toggle showing all comments
n / p :next / previous diff chunk or comment
N / P :next / previous comment
<Up> / <Down> :next / previous line
<Enter> :respond to / edit current comment
d :mark current comment as done
Issue
u :up to list of issues
m :publish + mail comments
j / k :jump to patch after / before current patch
o / <Enter> :open current patch in side-by-side view
i :open current patch in unified diff view
Issue List
j / k :jump to issue after / before current issue
o / <Enter> :open current issue
# : close issue
Comment/message editing
<Ctrl> + s or <Ctrl> + Enter :save comment
<Esc> :cancel edit
Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(221)
Issues Repositories Search
Open Issues | Closed Issues | All Issues | Sign in with your Google Account to create issues and add comments

Issue 54850044: Change HTTP status to 401 when user needs to login.

Can't Edit
Can't Publish+Mail
Start Review
Created:
11 years, 11 months ago by Andi
Modified:
11 years, 11 months ago
Reviewers:
iannucci
Visibility:
Public.
Returning a HTTP 302 is impractical for APIs when called via JavaScript. The XMLHttpRequest specification requires that redirects are handled by XMLHttpRequest object and therefore are not seen by the script that called an URL that returns a 302. See http://www.w3.org/TR/2014/WD-XMLHttpRequest-20140130/#infrastructure-for-the-send()-method I've changed the NeedsLogin exception to return HTTP 401 with the login URL in payload and a hint in the WWW-Authenticate header which is required by the HTTP specification for this status code.

Patch Set 1 #

Total comments: 2
Created: 11 years, 11 months ago
Download [raw] [tar.bz2]
Unified diffs Side-by-side diffs Delta from patch set Stats (+19 lines, -19 lines) Patch
M framework/exceptions.py View 1 chunk +3 lines, -3 lines 2 comments Download
M test_expectations/codereview/api/accounts/me_httptest.yaml View 1 chunk +4 lines, -4 lines 0 comments Download
M test_expectations/codereview/api/accounts/multi_user_httptest.yaml View 1 chunk +4 lines, -4 lines 0 comments Download
M test_expectations/codereview/api/cas_entries/basic_put_httptest.yaml View 1 chunk +4 lines, -4 lines 0 comments Download
M test_expectations/codereview/api/issues/comments_httptest.yaml View 1 chunk +4 lines, -4 lines 0 comments Download
Total messages: 3
|
Andi
11 years, 11 months ago (2014年02月04日 13:37:39 UTC) #1
Sign in to reply to this message.
iannucci
Good point re: XHR, I wasn't thinking that far ahead. https://codereview.appspot.com/54850044/diff/1/framework/exceptions.py File framework/exceptions.py (right): https://codereview.appspot.com/54850044/diff/1/framework/exceptions.py#newcode69 ...
11 years, 11 months ago (2014年02月04日 18:52:49 UTC) #2 
Good point re: XHR, I wasn't thinking that far ahead.
https://codereview.appspot.com/54850044/diff/1/framework/exceptions.py
File framework/exceptions.py (right):
https://codereview.appspot.com/54850044/diff/1/framework/exceptions.py#newcode69
framework/exceptions.py:69: self.HEADERS = {'WWW-Authenticate': 'Login at %s to
proceed.' % url}
Hm, this isn't the right format for WWW-Authenticate though? Maybe an X header?
Sign in to reply to this message.
Andi
https://codereview.appspot.com/54850044/diff/1/framework/exceptions.py File framework/exceptions.py (right): https://codereview.appspot.com/54850044/diff/1/framework/exceptions.py#newcode69 framework/exceptions.py:69: self.HEADERS = {'WWW-Authenticate': 'Login at %s to proceed.' % ...
11 years, 11 months ago (2014年02月04日 19:47:04 UTC) #3 
https://codereview.appspot.com/54850044/diff/1/framework/exceptions.py
File framework/exceptions.py (right):
https://codereview.appspot.com/54850044/diff/1/framework/exceptions.py#newcode69
framework/exceptions.py:69: self.HEADERS = {'WWW-Authenticate': 'Login at %s to
proceed.' % url}
On 2014年02月04日 18:52:49, iannucci wrote:
> Hm, this isn't the right format for WWW-Authenticate though? Maybe an X
header?
No, it isn't. WWW-Authenticate is a MUST for 401, but the spec for the header
doesn't fit our needs AFAICT:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47
and the referenced spec for Basic and Digest auth
http://tools.ietf.org/html/rfc2617#section-3.2.1
I've had a look how other APIs do it. And they seem to work around this issue by
sending a 400 Bad Request (for example Twitter and Facebook) or a 403 Forbidden
(G+). Both don't match the spec for the status codes if taken literally :)
What do you think about using 403 then instead?
Sign in to reply to this message.
|
Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b

AltStyle によって変換されたページ (->オリジナル) /