Failed login returns 200 Ok

uckelman · August 21, 2023, 8:11pm

I’m doing a POST to /session.json with the payload

{
  "login": "skroob",
  "password": "12345",
  "authenticity_token": "..."
}

When login succeeds, the status is 200 and the JSON returned is a bunch of user data. When login fails, the JSON returned looks like

{"error": "Incorrect username, email or password"}

but the status is still 200. Is this a bug? Should the status for a failed login be something >= 400, to indicate a failure?

maiki · August 21, 2023, 11:04pm

Maybe. I would probably go for 401.

But those are also HTTP status codes, for HTTP client connections; I think that nuance leads to decisions like returning a 200 (“your POST was successful, here is the feedback”).

Not sure, myself.

Falco · August 21, 2023, 11:11pm

uckelman · August 21, 2023, 11:38pm

I can see the rationale for a 200 on a failed login meaning that your login failed successfully, instead of failing unsuccessfully.

sam · August 21, 2023, 11:59pm

Keep in mind this is also a bit of a “feature” in that it confuses bots that are trying to log in.

I am mixed on changing this. Maybe…

uckelman · August 22, 2023, 1:16pm

I’m not asking for a change. What I wanted was disjunctive: a change OR confirmation that the behavior is intentional—which I have now. Thanks!

Topic		Replies	Views
Log Invalid Login Attempts for Fail2ban and upstream server action feature	12	1747	February 24, 2023
Initial paging for topics in category is failing bug	3	536	September 5, 2018
Webhook delivery errors when length is incorrect support	5	983	September 30, 2016
Failed to load resource: the server responded with a status of 422 bug chat	4	706	June 24, 2023
The pages for the tags with the «.json» suffix are rendered incorrectly bug	4	1259	April 15, 2016

Failed login returns 200 Ok

Related Topics