Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changed response from 500 to 401 on unexpected message type 3 #62

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Changed response from 500 to 401 on unexpected message type 3 #62

wants to merge 2 commits into from

Conversation

bjowes
Copy link
Contributor

@bjowes bjowes commented Dec 17, 2018

As explained in isse #61

@einfallstoll
Copy link
Owner

I'm not sure whether I'm happy with this. The package yields a 500 Internal Server Error whenever something unexpected happens. If I would accept this PR, I would probably have to change the other places as well.

I will see how the implementation specification expects this or if it's up to me to decide this.

You can always overwrite the internalservererror handler through the options, so you could send a 401 instead.

@einfallstoll
Copy link
Owner

From [MS-NTHT]: NTLM Over HTTP Protocol:

Any return code other than a client error HTTP 401 status code (for more information, see [RFC2616] section 10.4.2), represents successful authentication. If the client is not able to access the requested resource and the response status code is not HTTP 401, the problem is HTTP protocol-specific (for more information, see [RFC2616] section 10).

How would you interpret that? On one hand "Any return code other than a client error HTTP 401 status code, [...] represents successful authentication." means a HTTP 500 would mean a successful authentication, which would be bad and should be fixed according to your PR and I would have to change the others as well, on the other hand "If the client is not able to access the requested resource and the response status code is not HTTP 401, the problem is HTTP protocol-specific [...]" could be interpreted so the usage of HTTP 500 would be acceptable and this is up to the implementation how to handle it.

@bjowes
Copy link
Contributor Author

bjowes commented Dec 17, 2018

Understood, it is nice to have a consistent approach. I tried looking through some specs but couldn't find details on this - maybe you have access to better docs.

My thinking is that with a 401 response, most browsers would recover automatically. I am working with proxies, and when I enable/disable a proxy, chrome keeps thinking I am authenticated and sends the type 3 message. If it would receive the 401, it would re-authenticate without any user intervention.

@einfallstoll
Copy link
Owner

einfallstoll commented Dec 17, 2018
edited
Loading

If the implementation is strictly "Any return code other than a client error HTTP 401 status code, [...] represents successful authentication." (as you stated with the example in Chrome), then we will have to change our implementation according to this, even though this means introducing a breaking change.

@bjowes
Copy link
Contributor Author

bjowes commented Dec 17, 2018

Nice catch from the docs! I think it doesn't make sense to claim that 500 means authenticated. A 500 error could arise before authentication takes place. But I understand the purpose - you can receive many different status codes and still be authenticated, like 202 or 304.

@einfallstoll
Copy link
Owner

True! I will sleep over this, but I will probably merge your PR and remove internalservererror entirely. Still have to think about the impact.

@LRipi
Copy link

LRipi commented Oct 25, 2022

@einfallstoll Any news about merging the PR? 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bjowes @einfallstoll @LRipi