We do this on purpose (to prevent browsers prompting for credentials in a dialog box) but you can include a custom request header to get the WWW-Authenticate response header.
If you add a header called X-CouchDB-WWW-Authenticate then the value of that header is returned, verbatim, in WWW-Authenticate if authentication fails. B. On Tue, Dec 7, 2010 at 10:19 AM, Benoit Chesneau <[email protected]> wrote: > Hi all, > > I'm experimenting problem with the current method used when > authentification fail. If you pass worng authentificatino headre you > are redirected to an html page asking for credention. So technically > we do : > > 401 -> 302 -> 200 > > Which is wrong if we follow the spec. "The response MUST include a > WWW-Authenticate header field [..] [1] . It also introduce some bugs, > try for example to create a database when not logged. > > The reason we use a 302 actually is for couchapps. I think we should > change that behavior: > > 1. Provide appropriate HTTP response by default > 2. Use the tricks of cookie auth (specific header) to let the > CouchApps access to CouchDB. Something like "X-Auth-..." headre in the > request that notify us we need to send a response that will not > raises the dialog box in browsers. > > Thoughts ? > > [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2 > > > - benoît >
