Skip to content
This repository was archived by the owner on Apr 26, 2024. It is now read-only.

Return the proper 403 Forbidden error during errors with JWT logins.#7844

Merged
clokep merged 1 commit intodevelopfrom
clokep/jwt-consistency
Jul 15, 2020
Merged

Return the proper 403 Forbidden error during errors with JWT logins.#7844
clokep merged 1 commit intodevelopfrom
clokep/jwt-consistency

Conversation

@clokep
Copy link
Member

@clokep clokep commented Jul 14, 2020
edited
Loading

As I mentioned in #7776, the JWT login mechanism returns non-standard errors (401 instead of 403). This updates that mechanism to return the same errors as the m.login.token mechanism.

I should mention that the reasoning for this is that 401 is generally reserved for user-interactive authentication, while 403 is meant to be used for a failed login according to the spec for the login endpoint:

Status code 403:

The login attempt failed. This can include one of the following error codes:

  • M_FORBIDDEN: The provided authentication data was incorrect.
  • M_USER_DEACTIVATED: The user has been deactivated.

We probably want to mention this in the release notes, but I think it is OK to be a breaking change.

Also vaguely related to #7827 since we now return more errors for JWT logins.

@clokep clokep force-pushed the clokep/jwt-consistency branch from d8d3661 to beea1ff Compare July 14, 2020 12:57
@clokep clokep requested a review from a team July 14, 2020 15:03
richvdh
richvdh approved these changes Jul 15, 2020
View reviewed changes
Copy link
Member

@richvdh richvdh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@clokep clokep merged commit 111e70d into develop Jul 15, 2020
@clokep clokep deleted the clokep/jwt-consistency branch July 15, 2020 11:10
babolivier pushed a commit that referenced this pull request Sep 1, 2021
@anoadragon453
Merge commit 'a973bcb8a' into anoa/dinsic_release_1_18_x
d9e25be 
* commit 'a973bcb8a':
  Add some tiny type annotations (#7870)
  Remove obsolete comment.
  Ensure that calls to `json.dumps` are compatible with the standard library json. (#7836)
  Avoid brand new rooms in `delete_old_current_state_events` (#7854)
  Allow accounts to be re-activated from the admin APIs. (#7847)
  Fix tests
  Fix typo
  Newsfile
  Use get_users_in_room rather than state handler in typing for speed
  Fix client reader sharding tests (#7853)
  Convert E2E key and room key handlers to async/await. (#7851)
  Return the proper 403 Forbidden error during errors with JWT logins. (#7844)
  remove `retry_on_integrity_error` wrapper for persist_events (#7848)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@richvdh richvdh richvdh approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@clokep @richvdh