couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject authentication behaviour
Date Sun, 30 Oct 2011 08:48:28 GMT
Hi all,

I'm starting to hate our authentication system. We have now an
authentication system which default behaviour is to answer to browsers
or ajax calls. Ie we redirect on fail login. Last change for example
in cookie auth make the API raises a 401 only when fail parameter is
given in the uri.

While this default behaviour may be good for some couchapps, I would
prefer that the default behaviour would be a full HTTP behaviour, so
we can consider coudhdb as full store. Also this system doesn't work
well in some couchapps too. So I propose to have this default HTTP
behaviour

- forbidden -> raise 403 and return a body
- unauthenticated -> raise 401 and return a body

And that's all. Redirection should be in my opinion something either
forced in the settings or via a url params (or headers). That can be
both. Although, I'm not sure why we have redirection here when we
could have depending on the Accept header either a json or an html
page. Anyway, making this redirection something that must be forced is
something I would like to introduce for 2.0x.

Thoughts ?

- benoƮt

Mime
View raw message