Return-Path: 
 <user-return-17500-apmail-couchdb-user-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-user-archive@www.apache.org
Delivered-To: apmail-couchdb-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id B849D8E4B
	for <apmail-couchdb-user-archive@www.apache.org>;
 Tue, 16 Aug 2011 19:33:26 +0000 (UTC)
Received: (qmail 68288 invoked by uid 500); 16 Aug 2011 19:33:24 -0000
Delivered-To: apmail-couchdb-user-archive@couchdb.apache.org
Received: (qmail 68194 invoked by uid 500); 16 Aug 2011 19:33:24 -0000
Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@couchdb.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@couchdb.apache.org>
List-Post: <mailto:user@couchdb.apache.org>
List-Id: <user.couchdb.apache.org>
Reply-To: user@couchdb.apache.org
Delivered-To: mailing list user@couchdb.apache.org
Received: (qmail 68186 invoked by uid 99); 16 Aug 2011 19:33:23 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Aug 2011 19:33:23 +0000
X-ASF-Spam-Status: No, hits=2.4 required=5.0
	tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SINGLE_HEADER_2K,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of marcello.nuccio@gmail.com
 designates 209.85.218.52 as permitted sender)
Received: from [209.85.218.52] (HELO mail-yi0-f52.google.com) (209.85.218.52)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Aug 2011 19:33:17 +0000
Received: by yie13 with SMTP id 13so299771yie.11
        for <user@couchdb.apache.org>; Tue, 16 Aug 2011 12:32:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        bh=ISVOjKQdWwczMpBO0Bnmci7EiDLJdy1VVNMR0Xl0uMY=;
        b=s8Kq8t9UBLOqIMm1QoiSMGnCC443IZ5boq3qye0kDiU8lKpWoYOSqHChnzu04LiTcP
         OObPFFoM7LcMIDV3QVhyU2go/Tx16elLV1iKVxqtISBAZJoGnN3uHEiFezowIm5UEcH4
         GVpFPEAQ2pgpfef9aekHlqBuZ/KmOVqCu/B9w=
MIME-Version: 1.0
Received: by 10.43.46.193 with SMTP id up1mr73683icb.352.1313523175702; Tue,
 16 Aug 2011 12:32:55 -0700 (PDT)
Received: by 10.42.245.1 with HTTP; Tue, 16 Aug 2011 12:32:55 -0700 (PDT)
In-Reply-To: <C403D6CD-5F05-4AD9-9103-E811BE7C170D@couchbase.com>
References: 
 <CA+5KyPSE3BULUc7KONgx8ZqfNKW++_r8vgdhh7HLxLr0JgfM0A@mail.gmail.com>
	<CAONf+LQKjE6NVCsLKWb3wzmWOwrS2ej+_PCJS4Z=uV3hj0OtOg@mail.gmail.com>
	<CAOHkvcP0XMAFvvFhaw3azEyqBxPMhNxFwkYX+5_x52ScSaxEbg@mail.gmail.com>
	<CAMkGvyNO4GC8e+PWu8u7BpV6b4OUvXZ3v37y5kpnXdrYgn_nBA@mail.gmail.com>
	<4E371B93.8060303@kearns.net.au>
	<CAAL6JQj_u0RgDhQG95oFrQfJ3MUeRXHb+Q6d1Cc6DEBUwaE_vA@mail.gmail.com>
	<CAONf+LTt0Hmuhx8PTs_LdzzX-fHQDAhQg_kJabTQAnfnBdxZqQ@mail.gmail.com>
	<CAOHkvcNutCimOggckR3ivc2=DCAP1ZhPTC2XpnP1o_E82_Pvaw@mail.gmail.com>
	<CA+5KyPR56FpKXiQ6Zyxu0V2jwaKbOghbTZyJ10Ou=YXyyk6zhA@mail.gmail.com>
	<CAONf+LTd+qQtLBb7iXb-H_HJs4Xm+t+Bw0G4CMLCC8X=bYwdFQ@mail.gmail.com>
	<CAAL6JQhytD90Jn3f7LT-HUMVH=T5GgTEMXWzaR6kQ5BgqZGRSw@mail.gmail.com>
	<CAAL6JQjbpOD9GOu-dDDf7-1-44pANT3U=ZKaNYEBXPcX11C8pA@mail.gmail.com>
	<CAN-3CBLheiAds-L5Vps-amEHN-F-17yRqHzbzNzAq-Ev9BKa5g@mail.gmail.com>
	<CAMWZAjnE9p2QB7zujjGqL-JiLMnbbimmuz3V-f+pW_bNeL4hng@mail.gmail.com>
	<CAN-3CBLog0VMXZYN622+3ZN=_JV09fi1UTW54rFR=-3nP6+sVQ@mail.gmail.com>
	<CABvT1DHODFHdq3Uu6AcKGuk+Vmf+EJvV0Lyj=Q7A_iAehst+iw@mail.gmail.com>
	<CAJNb-9p--g2d_UMWAtSjbyTLRYdt_h0T0sLckX5k=+HJ2kyUHg@mail.gmail.com>
	<CAMWZAj=8GRLuvF2GDr=bi=g05j9_w+JBt76ohmscNX2Pvz4Eqw@mail.gmail.com>
	<CAJNb-9pQGzvZ8pmqSxoY0Jyk+8Z+sXYzYgTgOmqiVr3Ww+hDaw@mail.gmail.com>
	<CAMWZAjmSY_jdvyZ4+tjbO6TdbRAUb+gd4UhVrbSKTgvNmrgRJQ@mail.gmail.com>
	<CAN-3CB+LwerwsdcxLfRW70NwWvHDiTg7spRKJ0tBAZQzsuX8QA@mail.gmail.com>
	<CAMWZAjms30L_TosKNt54Bqn9fHteJOuuanYKqnA-UrAa6+Bkcw@mail.gmail.com>
	<CABvT1DEZYDTe5YLX=LOA1raLPtUq_MgPNFQKbf5z2Ff6PWqS3g@mail.gmail.com>
	<CAMWZAj=SP+9V5J+gigHpH8TAGfDBOdz0815P0=zwtyFA+ZhjAw@mail.gmail.com>
	<EB6A293C-E6D6-4BE7-8D70-23587A84D5DA@couchbase.com>
	<CAMWZAjmNCxesgOWu8iZePuigyjEz9w0iWWEBA5BoPfPkh4HXCw@mail.gmail.com>
	<CABvT1DGbE5mR9ncPnZkeeX7DWMu3_QqwBafV6y6Oh5_KtRAGXw@mail.gmail.com>
	<CAMWZAjk4z_51=it71oh--cXU+h_kxfz4FmNH7M8-Pbxy6T1m9g@mail.gmail.com>
	<CABvT1DFi=zRUmgvZfZMxU=JE2TNDp_VWFhwJ1Ygo98ZWzBw69g@mail.gmail.com>
	<C403D6CD-5F05-4AD9-9103-E811BE7C170D@couchbase.com>
Date: Tue, 16 Aug 2011 21:32:55 +0200
Message-ID: 
 <CAMWZAj=SSA=RRDHoe8RNH+j=Su833g8eFQVkdjDz8g3weAo1Ow@mail.gmail.com>
Subject: Re: to CouchApp or not to CouchApp
From: Marcello Nuccio <marcello.nuccio@gmail.com>
To: user@couchdb.apache.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Virus-Checked: Checked by ClamAV on apache.org

2011/8/16 Jens Alfke <jens@couchbase.com>:
>
> On Aug 16, 2011, at 9:52 AM, Marcello Nuccio wrote:
>
> But, by default, CouchDB does not send the WWW-Authenticate header,
> and no one has asked to change this default.
>
> Actually I do think that should be changed, I just hadn=E2=80=99t asked f=
or it. I lost a couple of hours trying to figure out why I couldn=E2=80=99t=
 get auth to work on my server, until someone told me I had to edit the con=
fig file to get correct behavior.

+1
I thought this default was there for a good reason, but if there's no
problem to change it, then follow the standard.


> On Aug 16, 2011, at 10:41 AM, Robert Newson wrote:
>
> You said 'what is not standard' and I told you. Not sending the header
> for a 401 is response is not standard (the standard says we MUST send
> it).
>
> We cannot follow the standard here, we are going to have to find some
> compromise heuristic.
>
> IMHO the best behavior is:
>
> - CouchDB intrinsically returns a 401, with the required WWW-Authenticate=
 header. That is the correct HTTP behavior when the client is trying to acc=
ess a read-protected resource without being authenticated.

+1

> - There would be some way for a CouchApp to intercept and override this r=
esponse, so that it can instead return a custom response such as a 302 redi=
rect to its own login page.

+1
The only problem I see is:
How does it know (the couchapp) what to do?
May be that this simply shifts the problem from the server to the
couchapp... the problem of the heuristic to use is still here...


> Returning a 302 rather than a 401 is prioritizing the app-server usage of=
 CouchDB over the REST/database server usage, and I think that=E2=80=99s ba=
ckwards. I agree with prior messages in this thread that CouchApps are nift=
y but limited, and we shouldn=E2=80=99t be breaking regular HTTP behavior i=
n the server just so that CouchApps can show fancy login pages.

ok.

Marcello