Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E09AB79A0 for ; Wed, 17 Aug 2011 02:48:26 +0000 (UTC) Received: (qmail 89570 invoked by uid 500); 17 Aug 2011 02:48:24 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 89185 invoked by uid 500); 17 Aug 2011 02:48:22 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 89177 invoked by uid 99); 17 Aug 2011 02:48:21 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Aug 2011 02:48:21 +0000 X-ASF-Spam-Status: No, hits=3.0 required=5.0 tests=RCVD_IN_DNSWL_LOW,SINGLE_HEADER_2K,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [209.85.210.174] (HELO mail-iy0-f174.google.com) (209.85.210.174) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Aug 2011 02:48:15 +0000 Received: by iyf40 with SMTP id 40so1232712iyf.5 for ; Tue, 16 Aug 2011 19:47:53 -0700 (PDT) Received: by 10.42.152.8 with SMTP id g8mr305849icw.211.1313549273086; Tue, 16 Aug 2011 19:47:53 -0700 (PDT) MIME-Version: 1.0 Received: by 10.42.166.5 with HTTP; Tue, 16 Aug 2011 19:47:33 -0700 (PDT) In-Reply-To: References: <4E371B93.8060303@kearns.net.au> From: Jason Smith Date: Wed, 17 Aug 2011 09:47:33 +0700 Message-ID: Subject: Re: to CouchApp or not to CouchApp To: user@couchdb.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org On Wed, Aug 17, 2011 at 12:55 AM, Jens Alfke wrote: > IMHO the best behavior is: > > - CouchDB intrinsically returns a 401, with the required WWW-Authenticate= header. That is the correct HTTP behavior when the client is trying to acc= ess a read-protected resource without being authenticated. > > - There would be some way for a CouchApp to intercept and override this r= esponse, so that it can instead return a custom response such as a 302 redi= rect to its own login page. > > Returning a 302 rather than a 401 is prioritizing the app-server usage of= CouchDB over the REST/database server usage, and I think that=E2=80=99s ba= ckwards. I agree with prior messages in this thread that CouchApps are nift= y but limited, and we shouldn=E2=80=99t be breaking regular HTTP behavior i= n the server just so that CouchApps can show fancy login pages. Totally agree. However, once again, the word "CouchApp" confuses the discussion and muddies the waters. Forget about "CouchApp." You click a link or bookmark and your browser (ultimately) goes to couch.com:5984/db/some_doc/some_attachment.html. But you aren't authorized. The *standard* response and also the Couchy response is 401. The *typical* response that all web apps actually do (because they are not simultaneously REST databases) is 302 bounce to a login page. I am really loving this discussion. It is a tough problem. Thanks very much to Marcello for keeping it going. Today I will investigate what happens if you return 401 with WWW-Authenticate and also a Location header. Is that allowed? Maybe we will get lucky and browsers will bounce. Crossing fingers. --=20 Iris Couch