Comments (9)
Unfortunately, I just realized my example has the negative effect of always setting 403 Forbidden
in the response if you do not provide auth credentials, so the 401 Authorization Required
is never set. With a bit more logic, though, you can set the 403 only if a $user and $pass are present but fail to authorize.
from rest.
You're right! Shouldn't be hard to implement. I'll do this by the end of this week =)
from rest.
I've reconsidered this after reading the RFC2616 again. Section 10.4.2 says (about 401):
If the request already included Authorization credentials, then the 401
response indicates that authorization has been refused for those
credentials.
Section 10.4.4 also says that (about 403):
The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated.
I'm more towards returning 401 again on failure instead of 403. What do you guys think? @ramsey @augustohp
from rest.
Yes, I think 401 would be the correct return code. Here is how I did it.
public function by(Request $request, $params)
{
$result = false;
if (isset($_SERVER['HTTP_AUTHORIZATION']))
$result = call_user_func_array(
$this->callback,
explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))
));
elseif (isset($_SERVER['PHP_AUTH_USER']))
$result = call_user_func($this->callback, $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
if($result !== true) {
header('HTTP/1.1 401');
header("WWW-Authenticate: Basic realm=\"{$this->realm}\"");
return $result;
}
}
from rest.
Actually 401 needs to be the return code if authentication was tried and not successful. If authentication was not even tried, than perhaps should be left to the application developer like what ramsey suggested in the initial post, but maybe the expected behavior by the application developer is to end up at 403? Not sure how to implement that on AuthBasic.php.
from rest.
I'm switching my original request and agreeing with everyone that the return code should be 401, rather than 403, for failed authentication. As @mta59066 has suggested, I've changed my own code to return 401 and WWW-Authentication headers.
from rest.
Does this mean the issue is resolved and we can close it? If not does anyone care to roll a patch and make a pull request, please. If AuthBasic is in need of some TLC lets do that.
from rest.
The issue wasn't resolved, so I quickly created a patch and issued a pull request. :-)
from rest.
Awesome Tx! Will have a look see... you rock! =)
from rest.
Related Issues (20)
- Bind specific controller methods to route names HOT 2
- Composer package is outdated HOT 1
- Code 404, no matter what
- Make 404 a exception instead of a response HOT 5
- Route with direct instances and specific method of instance HOT 2
- Can I Somehow Nest Routers? HOT 2
- Allow Router as Target HOT 2
- 'sortRoutesByComplexity' is broken HOT 4
- OPTIONS requests is not handled correctly
- file_exists doesn't work? HOT 4
- Explode as an array when the post parameter is a raw HOT 1
- Fatal error: Method Respect\Rest\Router::__toString() HOT 2
- Route matching precedence HOT 1
- ->accept() IgnorableFileExtension should be configurable HOT 1
- PHP7.3: preg_replace(): Compilation failed: invalid range in character class at offset 8 HOT 2
- No updates for 4 years HOT 14
- Need to fix build error on master. HOT 3
- OPTIONS request and Access-Control-Allow-Headers HOT 4
- New Roadmap HOT 1
- Optimize error handling HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rest.