Failed Login should result in the appropriate HTTP-Status Code #657
Labels
auth provider
enhancement
Wants to improvide an existing feature
upstream
This issue belongs to a library or component outside
Comments
|
We can add a parameter to the main page call like "?failed-login=true" which results into a 401. Because the redirect itself is part of passport, not HackMD. |
SISheogorath
added
enhancement
|
In that case, I'd rather raise this issue upstream. |
ccoenen
added
upstream
|
(i removed the security tag, I believe this was put in in error - it is not a security problem, more a reliability problem) |
|
Just for completion: This is where we configure it as an example. This is done for every auth provider. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now, If you try to login with weird credentials, you'll receive an HTTP 302 redirect and get back to the root of the project. Which will happily claim to be HTTP 200 OK. At no point is there a machine-readable mentioning of the failed login.
This is bad for at least two reasons: You can't properly script a login and browsers will offer to save your credentials, even if they are faulty.
I would like to suggest to change this to actually at some point reply with a HTTP 400-ish response code. Perhaps 401 Unauthorized.
The text was updated successfully, but these errors were encountered: