[squeak-dev] The Inbox: WebClient-Core-ct.126.mcz

Thiede, Christoph Christoph.Thiede at student.hpi.uni-potsdam.de
Mon Oct 12 19:25:02 UTC 2020


Hi Tobias!


I don't understand your objection. As the link says, some REST APIs will return a 404 Not Found error rather than a 401 Unauthorized error to make sure that unauthorized users cannot know the list of private objects that exist for the owning user.

For example, the GitHub API will respond with a 404 error if you try to access the following URL without authorization: https://api.github.com/repos/LinqLover/openHAB-configuration/zipball/master<https://api.github.com/repos/LinqLover/qaark/zipball/master>

However, I sweat that this repository actually exists, and I will get a 202 OK response if I authenticate before!

It's the same pattern as not telling you whether your email or your password is wrong on any web service to protect the knowledge about registered users from possible attackers.


> I do not support preemtive authentication, especially in non-SSL circumstances.

Why not? However, I would not dislike a warning being raised every time you try to authenticate if the scheme is not https.

> It is also hard to see the differences because you reformatted them method :/

That's truly a problem ... I found the original method version suboptimal to read. Is the prettyDiffs an option for you? Otherwise, I can split up this inbox version.

Best,
Christoph

________________________________
Von: Squeak-dev <squeak-dev-bounces at lists.squeakfoundation.org> im Auftrag von Tobias Pape <Das.Linux at gmx.de>
Gesendet: Montag, 12. Oktober 2020 21:06:21
An: The general-purpose Squeak developers list
Betreff: Re: [squeak-dev] The Inbox: WebClient-Core-ct.126.mcz

Hi

> On 12.10.2020, at 20:47, Thiede, Christoph <Christoph.Thiede at student.hpi.uni-potsdam.de> wrote:
>
> For example, many modern REST APIs use to return an error 404 if an attempt is made to access a private resource without authenticating before [1] which currrently makes it impossible to authenticate to these APIs using the WebClient.


No, thats not what the link says:

Q: "1. How to deal with unauthorized requests?

I'm intending to respond to requests with the following codes:

        • Is the resource open and found? 200 OK
        • Do you need to be authenticated to access the resources? 401 Unauthorized
        • Don't you have access to a category of resources? 403 Forbidden
        • Do you have access to a category of resources, but not to this specific resource? 404 Not Found to prevent people from getting to know the existance of a resource they do not have access to.
        • Doesn't the resource exist? 404 Not Found

"
A: "How to deal with unauthorized requests?

The way you described it is pretty much the recommended way for a RESTful service. As far as I can see there is absolutely nothing wrong with that."


That means: "Do you need to be authenticated to access the resources? 401 Unauthorized"

I do not support preemtive authentication, especially in non-SSL circumstances.


=-=-=-=


It is also hard to see the differences because you reformatted them method :/

Best regards
        -Tobias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20201012/e9584960/attachment.html>


More information about the Squeak-dev mailing list