Return-Path: X-Original-To: apmail-couchdb-user-archive@www.apache.org Delivered-To: apmail-couchdb-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 68A827372 for ; Wed, 17 Aug 2011 03:14:11 +0000 (UTC) Received: (qmail 11792 invoked by uid 500); 17 Aug 2011 03:14:08 -0000 Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org Received: (qmail 11501 invoked by uid 500); 17 Aug 2011 03:14:02 -0000 Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@couchdb.apache.org Delivered-To: mailing list user@couchdb.apache.org Received: (qmail 11488 invoked by uid 99); 17 Aug 2011 03:13:59 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Aug 2011 03:13:59 +0000 X-ASF-Spam-Status: No, hits=2.4 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SINGLE_HEADER_2K,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of adam.kocoloski@gmail.com designates 209.85.218.52 as permitted sender) Received: from [209.85.218.52] (HELO mail-yi0-f52.google.com) (209.85.218.52) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Aug 2011 03:13:52 +0000 Received: by yie13 with SMTP id 13so667449yie.11 for ; Tue, 16 Aug 2011 20:13:31 -0700 (PDT) Received: by 10.100.78.7 with SMTP id a7mr548544anb.9.1313550810692; Tue, 16 Aug 2011 20:13:30 -0700 (PDT) Received: from [192.168.1.7] (c-76-119-89-178.hsd1.ma.comcast.net [76.119.89.178]) by mx.google.com with ESMTPS id t11sm589317and.3.2011.08.16.20.13.29 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 16 Aug 2011 20:13:29 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Apple Message framework v1084) Subject: Re: to CouchApp or not to CouchApp From: Adam Kocoloski In-Reply-To: Date: Tue, 16 Aug 2011 23:13:27 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <8B1CA083-183A-4252-B898-8F09BAD37F18@apache.org> References: <4E371B93.8060303@kearns.net.au> To: user@couchdb.apache.org X-Mailer: Apple Mail (2.1084) X-Virus-Checked: Checked by ClamAV on apache.org On Aug 16, 2011, at 10:47 PM, Jason Smith wrote: > On Wed, Aug 17, 2011 at 12:55 AM, Jens Alfke = wrote: >> IMHO the best behavior is: >>=20 >> - CouchDB intrinsically returns a 401, with the required = WWW-Authenticate header. That is the correct HTTP behavior when the = client is trying to access a read-protected resource without being = authenticated. >>=20 >> - There would be some way for a CouchApp to intercept and override = this response, so that it can instead return a custom response such as a = 302 redirect to its own login page. >>=20 >> Returning a 302 rather than a 401 is prioritizing the app-server = usage of CouchDB over the REST/database server usage, and I think that=92s= backwards. I agree with prior messages in this thread that CouchApps = are nifty but limited, and we shouldn=92t be breaking regular HTTP = behavior in the server just so that CouchApps can show fancy login = pages. >=20 > Totally agree. >=20 > However, once again, the word "CouchApp" confuses the discussion and > muddies the waters. >=20 > Forget about "CouchApp." >=20 > You click a link or bookmark and your browser (ultimately) goes to > couch.com:5984/db/some_doc/some_attachment.html. But you aren't > authorized. >=20 > The *standard* response and also the Couchy response is 401. >=20 > The *typical* response that all web apps actually do (because they are > not simultaneously REST databases) is 302 bounce to a login page. >=20 > I am really loving this discussion. It is a tough problem. Thanks very > much to Marcello for keeping it going. Today I will investigate what > happens if you return 401 with WWW-Authenticate and also a Location > header. Is that allowed? Maybe we will get lucky and browsers will > bounce. Crossing fingers. Yeah, that'd be nice. Not holding out hope though. Adam