http-basic without redirect #38

stuartsierra opened this Issue Dec 4, 2012 · 2 comments


None yet
2 participants

Under the following circumstances:

  • Friend release 0.1.2
  • Using the http-basic workflow
  • With :allow-anon? true
  • The client requests a route that requires authorization
    (as by wrap-authorize)
  • The client does not supply any authentication headers

Friend will redirect to the :login-url instead of returning a 403 error.


cemerick commented Dec 4, 2012

From irc:

The real fix is to add a new kwarg to friend/authenticate* that will be used instead of (the really badly-named redirect-unauthorized). :unauthenticated-handler will do re: naming.

That will allow you to specify what response should be sent in any unauthenticated circumstance. Reasonable prefab options would be one handler that redirects to a :login-uri (the current behaviour), another that sends a 403.

cemerick closed this in 81d96e7 Jan 13, 2013


cemerick commented Jan 13, 2013

See the usage of the new :unauthenticated-handler option in the mock test app. Proper documentation of it + a standalone example app that uses it coming soon.

Oh, and you do want a 401, not a 403, at least for the case originally described.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment