发表新帖
发表新帖

HTTP 401 Unauthorized or 403 Forbidden for a “disabled” user?

前端 未结
关注
3 1135
独厮守ぢ
独厮守ぢ 2021-02-01 04:15

An authentication service allows user accounts be disabled (a sort of soft-delete).

If the server then receives an authentication request for a disabled user that would

3条回答
  • 轻奢々
    轻奢々 (楼主)
    2021-02-01 04:24

    Based on an email written by Roy T. Fielding, there's apparently a bug in the current HTTP spec.

    The way the spec is intended to be read is as follows (using quotes from above email):

    401 "Unauthenticated":

    you can't do this because you haven't authenticated

    403 "Unauthorized":

    user agent sent valid credentials but doesn't have access

    So, in the case of a disabled user, 403 is the correct response (and 404 is also an option).

    0 讨论(0)
 看不清?
提交回复
热议问题