-
-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong headers for non-authenticated users #16
Comments
I believe you are right, and this is a duplicate of zfcampus/zf-mvc-auth#97 Originally posted by @PowerKiKi at zfcampus/zf-apigility-skeleton#111 (comment) |
You're right. My fix is even worse. It prevent challenge of client when needed... ...
'zf-mvc-auth' => [
'authentication' =>
'adapters' => [
'http' => [
// HTTP auth adapter configuration
],
'whatever' => [
// Whatever auth adapter configuration
],
],
'map' => [
'API/VERSION1' => 'basic',
'API/VERSION2 => 'whatevertype'
]
]
]
... Now, let imagine the following scenario: A client request the following URI /host.tld/API/VERSION1 (here, the matching authentication type is Then, the following will occurs in the default authentication listener:
At this point, if the mvc http adapter don't find the I'll investigate and try to provide a patch. Originally posted by @nuxwin at zfcampus/zf-apigility-skeleton#111 (comment) |
Hello
If a non-authenticated user sends request to a page that needs authorization, then he will get 403 status (Forbidden). I think this bahavior is incorrect, because he should get 401 status (Unauthorized).
It was happened because of this fix zfcampus/zf-mvc-auth#92
Here is this fix:
I think that this fix is incorrect. I think we should check the authentication only if this method requires the authorization and we shouldn't check the Authorization header here.
Originally posted by @Redigast13 at zfcampus/zf-apigility-skeleton#111
The text was updated successfully, but these errors were encountered: