@sirtet opened this Issue on February 24th 2015

When trying a piwik page without logging in, the response is the login form, delivered with status code 200 OK. I think that should be delivered with a 403.

@mnapoli commented on February 24th 2015 Member

:+1: but I think [401 is better](http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_Error)

401 Unauthorized

Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.

@mattab commented on February 24th 2015 Owner

Hi there,
I think if we change to 403 some web servers configs will catch this and show an error page instead, this could break Piwik for some users.

@sirtet commented on February 25th 2015

According to
http://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses
401 seems more correct, but here
http://drupal.stackexchange.com/questions/18348/why-does-drupal-use-403-forbidden
it's said that 401 is only to be used with http auth.
It also says that is why Drupal is using 403.

As Drupal uses 403, i think it should be save for piwik too.

Not having the correct response code can be critical for some services i think.
I stumbled into a concrete case to this Problem on a piwik plugin:
https://github.com/sgiehl/piwik-plugin-ExcludeByDDNS/issues/4

@mnapoli commented on February 25th 2015 Member

That's an interesting POV, maybe 403 is OK then especially since it's not an HTTP API here.

@pfrenssen commented on June 23rd 2017

This also happens when accessing the Reporting API without providing a token_auth, it will return a 200 OK. We need to inspect the body and look for result => error. It would be more convenient if we could rely on the HTTP response code.

Powered by GitHub Issue Mirror