New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP 401 responses causing issues with Basic Authentication #2983
Comments
Please update your first article to keep your exact installation information - "any" is not really suitable at this point - sorry. :) Also, please do provide your complete webserver configuration (and let us know which one you're using). Right now it smells a bit like a technical question, but I'd like to make sure completely. However, for that I need everything. ;) Thanks. |
Hi again, |
Thanks for the update. The config of your webserver is our default configuration extended by basic auth? Would you mind providing that vhost config as well? Just to be sure I'm not missing something. Thanks! |
Yes, it's basically just Zammad Default config + Basic Auth. Here is the vhost config:
|
We looked into that again. If I saw it correctly, this would mean app/controllers/application_controller/handles_errors.rb#L39 should be replaced with RFC says browsers should behave differently (https://tools.ietf.org/html/rfc7231#section-6.5.3): "If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. " Though, we had the same issue in another project last week and 403 works. Best |
Sorry for taking so long. The authentication requests for the basic authentication does never reach Zammad as application but already ends (and is checked by) your nginx or any other webserver you'd use. Thus, changing source code is in my opinion not solving your issue at all. See also: By the way: Closing as this is not a bug but a technical question. |
Hi @MrGeneration, While I understand that this issue seems to be out-of-scope for the Zammad application, I still think that it is caused by it (and not the Ngnix). I'll try to explain why: Let's assume our ngnix is not configured to use basic authentication. In this case, both of us agree that the Zammad application ("behind" the ngnix) just works fine. Now, we enable basic auth by adding the configuration stated above to our ngnix. Please note that even now, almost everything still works as expected - including both authentications (basic and Zammad login) and the Zammad application itself. The issue I tried to describe earlier on is caused sometimes later (by Zammad!) when the application renders a page with status code 401. In this case, any webserver with enabled basic authentication is forced to log you out. I agree that semantically speaking 401 sounds "just right" in this case. Technically speaking, it causes inevitable issues with basic authentication and should be replaced with 403. |
@thorsteneckel what's your opinion on this? |
Hey guys! Thanks for the valuable information and descriptions. I read the RFC and was still a bit confused about the differences between 401 and 403. However, I found this great explanation over at StackOverflow. Quote:
That brings it to the point. Zammad uses 401 for However, we need to check the impact. I assume this is a breaking change because of all the implementations and API consumers out there. Further thoughts on this anyone? |
Those are great news! Sounds good to me. |
To keep you in the loop: We will implement this with the upcoming 4.0 release. For internal implementation purposes: https://thoughtbot.com/blog/forbidden-kisses-http-fluency-in-clearance |
Fixed with the commit above. We took the chance and improved some of the messages of You can test this with the latest |
Infos:
Expected behavior:
Zammad integrates smoothly with a layer of basic authentication. Therefore, the status code "HTTP 401 Unauthorized" is never used. As an alternative, status code 403 would be a proper replacement.
Actual behavior:
Overall, Zammad has not many issues when combined with basic auth. But there a few cases, where a request is answered with a status code 401 and the current user is forced to re-enter his basic auth credentials.
The codebase can be searched easily for status 401 (or
unauthorized
):https://github.com/zammad/zammad/search?l=Ruby&q=%3Aunauthorized
Steps to reproduce the behavior:
THEN
OR
Yes I'm sure this is a bug and no feature request or a general question.
The text was updated successfully, but these errors were encountered: