Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

401 for bad signature, 403 for insufficient permissions #17

Open
smcoll opened this issue Oct 28, 2016 · 1 comment
Open

401 for bad signature, 403 for insufficient permissions #17

smcoll opened this issue Oct 28, 2016 · 1 comment

Comments

@smcoll
Copy link

smcoll commented Oct 28, 2016

A 403 returned by this authentication scheme might indicate that the signature is invalid, or that the user doesn't have sufficient permissions.

DRF suggests raising an AuthenticationFailed for a bad signature, resulting in a 401 response (and not bothering to do the permissions check), leaving a 403 to indicate that the user was authenticated but has insufficient permissions. Further, an authenticate_header method could implement a WWW-Authenticate header in the 401 response with signature implementation instructions. i believe this potential exists in all the 3.x DRF releases.

Would that be a welcome PR? i recognize that it could break users' integration tests expecting the current "403" behavior.
@smcoll smcoll changed the title 401 for bad signature, 403 for no permissions 401 for bad signature, 403 for insufficient permissions Oct 28, 2016
@smcoll
Copy link
Author

smcoll commented Jan 27, 2017

A workaround in the meantime is to list another authentication class which returns a 401 first in DEFAULT_AUTHENTICATION_CLASSES. (see the note in bold in the DRF docs)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@smcoll