kaxil commented on PR #43932: URL: https://github.com/apache/airflow/pull/43932#issuecomment-2474845766
> > > There's no problem with saying those endpoints return a 401/403 even if they don't tbh -- the error responses doesn't really mean much to clients if the endpoint never returns it. > > > > > > > And as for auth vs anon, there's another way you are meant to specify security/auth requirements in Open API spec, so this doesn't affect that > > > > > > Are you referring to the `security` parameter in the openapi spec ? Because we are using that field in the legacy as a `global` one, not setting it on a per route basis. (We could do that in the new spec but that needs to be developed) > > Also I do not fully agree, as a client if the document states that the endpoint can return 401 and 403, I expect it to be an authenticated endpoint, and I will try to provide credentials to it. Also I will also write code to handle those 401, 403 on the client side...for nothing. I just think it's not ideal, but I agree that's not really a big deal so if that sounds reasonable to you, I'm perfectly fine merging that. (That's also much easier for us :)) > > To make the "open API endpoints" explicit could we add a "anonymous" router for these both endpoints and separate them on the top level from the authenticated ones? I will take a stab at it as a separate PR -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
