Attempting to make REST CORS calls to ESP (with auth enabled) fails with:
The response code is a "302 Found" I would have expected a 401?
Conclusion
None
Activity
Show:
Kanghua Wang February 15, 2018 at 7:03 PM
, please correct me if I do not understand correctly: we should send 401 (not redirect to the login page) for any REST type call if authentication fails. The following rules are used to detect a REST type call.
Any HTTP POST request;
Any request which has a BasicAuthentication header;
Any CORS calls (any request which has an Origin header).
Anthony Fishbeck February 15, 2018 at 2:56 PM
lets discuss this afternoon and see if we can improve on
what causes redirect.
what is treated as REST client calls.
Kanghua Wang February 15, 2018 at 2:17 PM
That is because ESP allows a client to get the 'resource' files from predefined locations. The default settings of the locations include: esp/files/. So, the 200 OK is sent for http://192.168.3.22:8010/esp/files/stub.htm.
Gordon Smith February 15, 2018 at 8:27 AM
Edited
Quick follow up - what I am seeing is the opposite of what I would expect:
When the request is the main landing page, there is no redirect:
But as soon as the first REST style request is made:
Again IMO the redirect only makes sense when the requested resources is a html page.
Gordon Smith February 15, 2018 at 5:54 AM
How about only redirecting if its a "same-origin" request?
or alternatively only redirecting if:
The request type is a GET
The requested URLs pathname ends in ".html" or ".htm" etc. (we wouldn't want redirects for ".xsd" requests)
The requested URLs pathname is blank.
FWIW I would probably be ok if there was no redirect on a POST / OPTIONS request, but that feels a bit specific.
Fixed
Pinned fields
Click on the next to a field label to start pinning.
Attempting to make REST CORS calls to ESP (with auth enabled) fails with:
The response code is a "302 Found" I would have expected a 401?