Failed login returns 200 Ok

uckelman · August 21, 2023, 8:11pm

I’m doing a POST to /session.json with the payload

{
  "login": "skroob",
  "password": "12345",
  "authenticity_token": "..."
}

When login succeeds, the status is 200 and the JSON returned is a bunch of user data. When login fails, the JSON returned looks like

{"error": "Incorrect username, email or password"}

but the status is still 200. Is this a bug? Should the status for a failed login be something >= 400, to indicate a failure?

maiki · August 21, 2023, 11:04pm

Maybe. I would probably go for 401.

But those are also HTTP status codes, for HTTP client connections; I think that nuance leads to decisions like returning a 200 (“your POST was successful, here is the feedback”).

Not sure, myself.

Falco · August 21, 2023, 11:11pm

uckelman · August 21, 2023, 11:38pm

I can see the rationale for a 200 on a failed login meaning that your login failed successfully, instead of failing unsuccessfully.

sam · August 21, 2023, 11:59pm

Keep in mind this is also a bit of a “feature” in that it confuses bots that are trying to log in.

I am mixed on changing this. Maybe…

uckelman · August 22, 2023, 1:16pm

I’m not asking for a change. What I wanted was disjunctive: a change OR confirmation that the behavior is intentional—which I have now. Thanks!

Topic		Replies	Views
Initial paging for topics in category is failing Bug	3	563	September 5, 2018
Webhook delivery errors when length is incorrect Support	5	1012	September 30, 2016
Failed to load resource: the server responded with a status of 422 Bug chat	4	838	June 24, 2023
The pages for the tags with the «.json» suffix are rendered incorrectly Bug	4	1305	April 15, 2016
API Inviting an email from blacklisted domains returns HTTP 402 but no json Bug	9	1371	June 13, 2017

Failed login returns 200 Ok

Related Topics