Feature #30086

Use HTTP status code 403 instead of 401 when REST API is disabled

Added by Go MAEDA over 3 years ago. Updated over 3 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:REST API
Target version:4.1.0
Resolution:Fixed

Description

Currently, Redmine returns HTTP status code 401 (Unauthorized) if the REST API feature is disabled.

$ curl -D /dev/stdout --user admin:admin http://localhost:3000/issues.xml
HTTP/1.1 401 Unauthorized
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Content-Type: application/xml
WWW-Authenticate: Basic realm="Redmine API" 
Cache-Control: no-cache
X-Request-Id: 22e77bad-feca-4137-a81e-9df152af8bc2
X-Runtime: 0.019368
Transfer-Encoding: chunked

With the status code 401, users may misunderstand that the login id or password is incorrect. If they access to /issues.xml with a web browser, they will see a basic authentication dialog again and again.

I think it is proper and intuitive to return 403 (Forbidden) instead of 401, like "403 API access is not allowed".

30086-http-status-code-403.patch Magnifier (3.17 KB) Yuichi HARADA, 2018-12-10 03:18

30086-http-status-code-403-v2.patch Magnifier (2.7 KB) Go MAEDA, 2019-02-25 13:33

Related issues

Related to Redmine - Defect #32315: Impossible to validate API key without modifying anything Closed

Associated revisions

Revision 18055
Added by Go MAEDA over 3 years ago

Use HTTP status code 403 instead of 401 when REST API is disabled (#30086).

Patch by Yuichi HARADA.

History

#1 Updated by Go MAEDA over 3 years ago

  • Description updated (diff)

#2 Updated by Yuichi HARADA over 3 years ago

Regardless of whether authentication is valid or not, if you disable the REST API feature it responds with HTTP status code 403(Forbidden).
I made a patch, and attach it.

#3 Updated by Marius BALTEANU over 3 years ago

I'm in favour of this change.

#4 Updated by Go MAEDA over 3 years ago

  • Target version set to 4.1.0

Setting the target version to 4.1.0.

#5 Updated by Go MAEDA over 3 years ago

Returning 403 in the situation is consistent. In incoming emails API, MailHandlerController returns 403 if "WS for incoming emails" is disabled. Please see source:tags/4.0.0/app/controllers/mail_handler_controller.rb#L41.

#6 Updated by Go MAEDA over 3 years ago

Removed an unnecessary test_with_valid_username_and_wrong_password_http_authentication from the patch.

#7 Updated by Go MAEDA over 3 years ago

  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the patch. Thank you.

#8 Updated by Go MAEDA almost 2 years ago

  • Related to Defect #32315: Impossible to validate API key without modifying anything added

Also available in: Atom PDF