@sirtet opened this Issue on February 24th 2015

When trying a piwik page without logging in, the response is the login form, delivered with status code 200 OK. I think that should be delivered with a 403.

@mnapoli commented on February 24th 2015 Contributor

:+1: but I think [401 is better](http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_Error)

401 Unauthorized

Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.

@mattab commented on February 24th 2015 Member

Hi there,
I think if we change to 403 some web servers configs will catch this and show an error page instead, this could break Piwik for some users.

@sirtet commented on February 25th 2015

According to
401 seems more correct, but here
it's said that 401 is only to be used with http auth.
It also says that is why Drupal is using 403.

As Drupal uses 403, i think it should be save for piwik too.

Not having the correct response code can be critical for some services i think.
I stumbled into a concrete case to this Problem on a piwik plugin:

@mnapoli commented on February 25th 2015 Contributor

That's an interesting POV, maybe 403 is OK then especially since it's not an HTTP API here.

@pfrenssen commented on June 23rd 2017

This also happens when accessing the Reporting API without providing a token_auth, it will return a 200 OK. We need to inspect the body and look for result => error. It would be more convenient if we could rely on the HTTP response code.

Powered by GitHub Issue Mirror