Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When OAuth password verification fails, return 401 instead of redirect #5111

Merged
merged 1 commit into from Sep 27, 2017

Conversation

Projects
None yet
2 participants
@Gargron
Copy link
Member

Gargron commented Sep 26, 2017

Call to warden.authenticate! in resource_owner_from_credentials would make the request redirect to sign-in path, which is a bad response for apps. Now bad credentials just return nil, which leads to HTTP 401 from Doorkeeper. Also, accounts with enabled 2FA cannot be logged into this way.

As far as I know this only affects POST /oauth/token response with grant_type=password

When OAuth password verification fails, return 401 instead of redirect
Call to warden.authenticate! in resource_owner_from_credentials would
make the request redirect to sign-in path, which is a bad response for
apps. Now bad credentials just return nil, which leads to HTTP 401
from Doorkeeper. Also, accounts with enabled 2FA cannot be logged into
this way.

@Gargron Gargron added the api label Sep 26, 2017

@Gargron Gargron merged commit db3ed49 into master Sep 27, 2017

3 checks passed

codeclimate All good!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@Gargron Gargron deleted the fix-doorkeeper-redirect-response branch Sep 27, 2017

rutan added a commit to rutan/mastodon that referenced this pull request Oct 11, 2017

When OAuth password verification fails, return 401 instead of redirect (
tootsuite#5111)

Call to warden.authenticate! in resource_owner_from_credentials would
make the request redirect to sign-in path, which is a bad response for
apps. Now bad credentials just return nil, which leads to HTTP 401
from Doorkeeper. Also, accounts with enabled 2FA cannot be logged into
this way.

takayamaki added a commit to takayamaki/mastodon that referenced this pull request Oct 12, 2017

When OAuth password verification fails, return 401 instead of redirect (
tootsuite#5111)

Call to warden.authenticate! in resource_owner_from_credentials would
make the request redirect to sign-in path, which is a bad response for
apps. Now bad credentials just return nil, which leads to HTTP 401
from Doorkeeper. Also, accounts with enabled 2FA cannot be logged into
this way.

cobodo pushed a commit to cobodo/mastodon that referenced this pull request Oct 20, 2017

When OAuth password verification fails, return 401 instead of redirect (
tootsuite#5111)

Call to warden.authenticate! in resource_owner_from_credentials would
make the request redirect to sign-in path, which is a bad response for
apps. Now bad credentials just return nil, which leads to HTTP 401
from Doorkeeper. Also, accounts with enabled 2FA cannot be logged into
this way.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.