Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Do not redirect to to login_url for XMLHttpRequests #950

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
2 participants
Contributor

jvhellemond commented Dec 4, 2013

When using the web.authenticated decorator, it would be nice to not redirect to the login_url for unauthenticated XMLHttpRequests, but raise a 403 error instead. There is no foolproof way of detecting an XMLHttpRequest, but there seems to be some consensus amongst JS frameworks (mainly jQuery) to add the X-Requested-With: XMLHttpRequest header to same-origin requests.

Do not redirect to to login_url for XMLHttpRequests
When using the web.authenticated decorator, it would be nice to not redirect to the login_url for unauthenticated XMLHttpRequests, but raise a 403 error instead. There is no foolproof way of detecting an XMLHttpRequest, but there seems to be some consensus amongst JS frameworks (mainly jQuery) to add the `X-Requested-With: XMLHttpRequest` header to same-origin requests.
Owner

bdarnell commented Dec 11, 2013

The relevant distinction is not XMLHTTPRequest vs everything else, it's HTML/browser-based authentication vs everything else - things like mobile apps should in most cases get 403 instead of a redirect. I don't think it's a good idea to build more policy logic into @authenticated - it's good for the simplest cases, but once you have multiple authentication mechanisms you'll probably want to use it as a template for your own decorator instead of using it directly.

@bdarnell bdarnell added the web label Jul 16, 2014

@bdarnell bdarnell closed this Jan 24, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment