Why the decorator tornado.web.authenticated(method) only supports GET/HEAD?
if self.request.method in ("GET", "HEAD"):
Here's a little background:
I don't think redirecting an unauthenticated user who was attempting a POST would generally work: The user's browser has begun sending POST data to your Tornado application, but the application finds the user isn't logged in, so it redirects the browser to a login page to collect a username and password. What should happen to the POST data?
@tornado.web.authenticated can be used on handlers that implement POST or other methods, but it will only redirect for GET or HEAD. Other requests will result in an error instead of a redirect because the POST data or original method would be silently lost if we redirected to a login page. This is seldom an issue in practice because XSRF concerns dictate that POST requests must generally be preceded by a GET.