Redmine

It returns 302.

$ curl --head http://localhost:3100/test-3.3-stable/attachments/download/7/new.txt -o /dev/null -w '%{http_code}\n' -s
302
$ curl --head --location http://localhost:3100/test-3.3-stable/attachments/download/7/new.txt -o /dev/null -w '%{http_code}\n' -s
200

Toshi MARUYAMA wrote:

It returns 302.

[...]

1
You are testing on a newer version.
2
It is still not the correct http code to return hence the HTTP response status
code 302 Found is a common way of performing URL redirection.
Signaling a 401 Unauthorized is exactly what is expected due to the fact
that you are not authenticated and you do not want a redirect
when you are accessing the API.

The correct code is 401

401 Unauthorized (RFC 7235)
Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.
The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource.
See Basic access authentication and Digest access authentication.[32]
401 semantically means "unauthenticated",[33] i.e. the user does not have the necessary credentials.
Note: Some sites issue HTTP 401 when an IP address is banned from the website (usually the website domain) and that
specific address is refused permission to access a website.

Jess Nielsen wrote:

Toshi MARUYAMA wrote:

It returns 302.

[...]

1
You are testing on a newer version.

source:tags/3.1.0/test/integration/api_test/attachments_test.rb#L72