← Back to team overview

dhis2-devs team mailing list archive

[Bug 1388996] [NEW] API returns status OK 200 on unauthorized requests

 

Public bug reported:

Requesting /api/messageConversations.json without any Authorization
header gives a status OK 200 with the HTML corresponding to a login
page. It is then hard for developers to differentiate weather or not the
request was successful or not.

An option would be to return the same data, but with a status code 401 Unauthorized.
But the problem here is that a RESTful API should not return HTML on *.json requests, and there should be very little redirecting involved.

By requesting data from one endpoint (e.g. /api/me.json), one would
assume that the response would be JSON, with either a success or an
error status. Errors should then be served in a JSON format like this
{message: "Unauthorized request"}.

Why is this a problem?
At the moment we are creating a single-page application for DHIS2 which does not reload pages from the server, and will therefore the user will never be prompted to log in when the session is invalidated.

How could one achieve these status codes by todays API?
It is possible to get 401 statuses, but then you would need to input a knowingly wrong authorization token (Basic XX). If the part after Basic is empty, you will get a response OK 200 and the login page.
However, this does not apply when you use cookie-based login. Then you will always get OK 200 as a response for every request.

** Affects: dhis2
     Importance: Undecided
         Status: New


** Tags: api json

** Attachment added: "JSON request gives status OK 200 on unauthorized request"
   https://bugs.launchpad.net/bugs/1388996/+attachment/4252296/+files/Skjermbilde%202014-11-03%20kl.%2023.06.58.png

-- 
You received this bug notification because you are a member of DHIS 2
developers, which is subscribed to DHIS.
https://bugs.launchpad.net/bugs/1388996

Title:
  API returns status OK 200 on unauthorized requests

Status in DHIS 2:
  New

Bug description:
  Requesting /api/messageConversations.json without any Authorization
  header gives a status OK 200 with the HTML corresponding to a login
  page. It is then hard for developers to differentiate weather or not
  the request was successful or not.

  An option would be to return the same data, but with a status code 401 Unauthorized.
  But the problem here is that a RESTful API should not return HTML on *.json requests, and there should be very little redirecting involved.

  By requesting data from one endpoint (e.g. /api/me.json), one would
  assume that the response would be JSON, with either a success or an
  error status. Errors should then be served in a JSON format like this
  {message: "Unauthorized request"}.

  Why is this a problem?
  At the moment we are creating a single-page application for DHIS2 which does not reload pages from the server, and will therefore the user will never be prompted to log in when the session is invalidated.

  How could one achieve these status codes by todays API?
  It is possible to get 401 statuses, but then you would need to input a knowingly wrong authorization token (Basic XX). If the part after Basic is empty, you will get a response OK 200 and the login page.
  However, this does not apply when you use cookie-based login. Then you will always get OK 200 as a response for every request.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1388996/+subscriptions


Follow ups

References