Loopback: 401 unauthorized instead of 403 forbidden while authenticated
When an authenticated user is denied access because of an ACL, we receive the error 401 unauthorized. This is not in line with the http specification, that indicates 401 unauthorized is for indicating an authentication issue. 403 forbidden should be used for indicating an authorization issue.
It's also required so that - for example in an AngularJS interceptor - you can differentiate between the need to show an access denied/request access page, instead of showing a login dialog.
daankets
All 4 comments
Just found this one is resolved by #301 - however not documented as far as I could find out.
Solution: config.json:
{
"restApiRoot": "/api",
"host": "0.0.0.0",
"port": 3000,
"url": "http://localhost:3000",
"aclErrorStatus": 403
}
@crandmck could you please mention this option in the documentation? See #301 for more information.
bajtos
on 18 Sep 2014
I added an entry to the reference table in http://docs.strongloop.com/display/LB/config.json. We should also cover this in http://docs.strongloop.com/display/LB/Authentication+and+authorization but I don't see an obvious place. We're overhauling this area of the docs, in any case.
crandmck
on 20 Sep 2014
I would say all the things here: http://docs.strongloop.com/dosearchsite.action?queryString=401
Also possibly here: http://docs.strongloop.com/display/LB/Advanced+topics
PS: Strongloop is awesome.
floatingLomas
on 8 Oct 2014
Related issues
futurus
路
3Comments
AnupDeshpande23
路
4Comments
dyaa
路
4Comments
nmklong
路
3Comments
ian-lewis-cs
路
4Comments
Most helpful comment
Just found this one is resolved by #301 - however not documented as far as I could find out.
Solution: config.json: