couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <...@apache.org>
Subject Re: authentication behaviour
Date Fri, 11 Nov 2011 09:24:01 GMT

On Nov 11, 2011, at 08:22 , Dave Cottlehuber wrote:

> On 30 October 2011 09:48, Benoit Chesneau <bchesneau@gmail.com> wrote:
>> Hi all,
>> 
>> I'm starting to hate our authentication system. We have now an
>> authentication system which default behaviour is to answer to browsers
>> or ajax calls. Ie we redirect on fail login. Last change for example
>> in cookie auth make the API raises a 401 only when fail parameter is
>> given in the uri.
>> 
>> While this default behaviour may be good for some couchapps, I would
>> prefer that the default behaviour would be a full HTTP behaviour, so
>> we can consider coudhdb as full store. Also this system doesn't work
>> well in some couchapps too. So I propose to have this default HTTP
>> behaviour
>> 
>> - forbidden -> raise 403 and return a body
>> - unauthenticated -> raise 401 and return a body
>> 
>> And that's all. Redirection should be in my opinion something either
>> forced in the settings or via a url params (or headers). That can be
>> both. Although, I'm not sure why we have redirection here when we
>> could have depending on the Accept header either a json or an html
>> page. Anyway, making this redirection something that must be forced is
>> something I would like to introduce for 2.0x.
>> 
>> Thoughts ?
>> 
>> - benoƮt
>> 
> 
> +1 in principle. What might this break?

It'd break CouchApps that expect the redirect by default.

For the sake of not breaking API's I'd suggest a config setting that
enables Benoit's proposed behaviour that we can make the default for
2.0.

Cheers
Jan
-- 


Mime
View raw message