Feature #30086
Use HTTP status code 403 instead of 401 when REST API is disabled
Status: | Closed | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | % Done: | 0% | ||
Category: | REST API | |||
Target version: | 4.1.0 | |||
Resolution: | Fixed |
Description
Currently, Redmine returns HTTP status code 401 (Unauthorized) if the REST API feature is disabled.
$ curl -D /dev/stdout --user admin:admin http://localhost:3000/issues.xml HTTP/1.1 401 Unauthorized X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none Referrer-Policy: strict-origin-when-cross-origin Content-Type: application/xml WWW-Authenticate: Basic realm="Redmine API" Cache-Control: no-cache X-Request-Id: 22e77bad-feca-4137-a81e-9df152af8bc2 X-Runtime: 0.019368 Transfer-Encoding: chunked
With the status code 401, users may misunderstand that the login id or password is incorrect. If they access to /issues.xml with a web browser, they will see a basic authentication dialog again and again.
I think it is proper and intuitive to return 403 (Forbidden) instead of 401, like "403 API access is not allowed".
Related issues
Associated revisions
Use HTTP status code 403 instead of 401 when REST API is disabled (#30086).
Patch by Yuichi HARADA.
History
#1
Updated by Go MAEDA over 3 years ago
- Description updated (diff)
#2
Updated by Yuichi HARADA over 3 years ago
- File 30086-http-status-code-403.patch
added
Regardless of whether authentication is valid or not, if you disable the REST API feature it responds with HTTP status code 403(Forbidden).
I made a patch, and attach it.
#3
Updated by Marius BALTEANU over 3 years ago
I'm in favour of this change.
#4
Updated by Go MAEDA over 3 years ago
- Target version set to 4.1.0
Setting the target version to 4.1.0.
#5
Updated by Go MAEDA over 3 years ago
Returning 403 in the situation is consistent. In incoming emails API, MailHandlerController returns 403 if "WS for incoming emails" is disabled. Please see source:tags/4.0.0/app/controllers/mail_handler_controller.rb#L41.
#6
Updated by Go MAEDA over 3 years ago
- File 30086-http-status-code-403-v2.patch
added
Removed an unnecessary test_with_valid_username_and_wrong_password_http_authentication from the patch.
#7
Updated by Go MAEDA over 3 years ago
- Status changed from New to Closed
- Assignee set to Go MAEDA
- Resolution set to Fixed
Committed the patch. Thank you.
#8
Updated by Go MAEDA almost 2 years ago
- Related to Defect #32315: Impossible to validate API key without modifying anything added