incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <robert.new...@gmail.com>
Subject Re: to CouchApp or not to CouchApp
Date Tue, 16 Aug 2011 17:41:42 GMT
You said 'what is not standard' and I told you. Not sending the header
for a 401 is response is not standard (the standard says we MUST send
it).

We cannot follow the standard here, we are going to have to find some
compromise heuristic.

"10.4.2 401 Unauthorized

   The request requires user authentication. The response MUST include a
   WWW-Authenticate header field (section 14.47) containing a challenge
   applicable to the requested resource."

B.

On 16 August 2011 17:52, Marcello Nuccio <marcello.nuccio@gmail.com> wrote:
> But, by default, CouchDB does not send the WWW-Authenticate header,
> and no one has asked to change this default.
>
> Marcello
>
> 2011/8/16 Robert Newson <rnewson@apache.org>:
>> a 401 response MUST include a WWW-Authenticate header, this causes an
>> unstylable modal dialog box on all browsers (the HTML you want to send
>> will not matter).
>>
>> This is why we cannot do as you suggest.
>>
>> B.
>>
>> On 16 August 2011 17:45, Marcello Nuccio <marcello.nuccio@gmail.com> wrote:
>>> 2011/8/16 Jens Alfke <jens@couchbase.com>:
>>>>
>>>> On Aug 16, 2011, at 9:16 AM, Marcello Nuccio wrote:
>>>>
>>>>> Ignoring for an instant that this is hard to implement, as Jason says.
>>>>> What is the problem if I send an HTML response, if the requested
>>>>> resource is HTML?
>>>>
>>>> Because if the client requesting the HTML is not a user-facing web browser,
the 302 is the wrong response, because the client won’t know what to do with the resulting
login form (unless it does screen-scraping.) I’ve already run into this in implementing
my CouchCocoa framework.
>>>
>>>
>>> I am not saying to respond with 302. I am saying:
>>>
>>>  - ALWAYS respond with 401
>>>  - IF the Accept header says "text/html" is a valid response AND the
>>> requested resource is of type "text/html", THEN send HTML in the body
>>> of the response, ELSE send JSON.
>>>
>>> Never send 302 instead of 401.
>>> Never send HTML if not "accepted" by the client and it is the type of
>>> the requested resource.
>>>
>>> Why is this not standard compliant?
>>>
>>> Marcello
>>>
>>
>

Mime
View raw message