Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Return the proper 403 Forbidden error during errors with JWT logins. #7844

Merged
merged 1 commit into from
Jul 15, 2020
Merged

Return the proper 403 Forbidden error during errors with JWT logins. #7844

merged 1 commit into from
Jul 15, 2020

Conversation

clokep
Copy link
Member

@clokep clokep commented Jul 14, 2020
edited
Loading

As I mentioned in #7776, the JWT login mechanism returns non-standard errors (401 instead of 403). This updates that mechanism to return the same errors as the m.login.token mechanism.

I should mention that the reasoning for this is that 401 is generally reserved for user-interactive authentication, while 403 is meant to be used for a failed login according to the spec for the login endpoint:

Status code 403:

The login attempt failed. This can include one of the following error codes:

  • M_FORBIDDEN: The provided authentication data was incorrect.
  • M_USER_DEACTIVATED: The user has been deactivated.

We probably want to mention this in the release notes, but I think it is OK to be a breaking change.

Also vaguely related to #7827 since we now return more errors for JWT logins.

@clokep clokep force-pushed the clokep/jwt-consistency branch from d8d3661 to beea1ff Compare July 14, 2020 12:57
@clokep clokep requested a review from a team July 14, 2020 15:03
richvdh
richvdh approved these changes Jul 15, 2020
View reviewed changes
Copy link
Member

@richvdh richvdh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@clokep clokep merged commit 111e70d into develop Jul 15, 2020
@clokep clokep deleted the clokep/jwt-consistency branch July 15, 2020 11:10
babolivier pushed a commit that referenced this pull request Sep 1, 2021
@anoadragon453
Merge commit 'a973bcb8a' into anoa/dinsic_release_1_18_x
d9e25be 
* commit 'a973bcb8a':
  Add some tiny type annotations (#7870)
  Remove obsolete comment.
  Ensure that calls to `json.dumps` are compatible with the standard library json. (#7836)
  Avoid brand new rooms in `delete_old_current_state_events` (#7854)
  Allow accounts to be re-activated from the admin APIs. (#7847)
  Fix tests
  Fix typo
  Newsfile
  Use get_users_in_room rather than state handler in typing for speed
  Fix client reader sharding tests (#7853)
  Convert E2E key and room key handlers to async/await. (#7851)
  Return the proper 403 Forbidden error during errors with JWT logins. (#7844)
  remove `retry_on_integrity_error` wrapper for persist_events (#7848)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@richvdh richvdh richvdh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@clokep @richvdh