On Tue, Dec 7, 2010 at 11:28 AM, Robert Newson <[email protected]> wrote: > We do this on purpose (to prevent browsers prompting for credentials > in a dialog box) but you can include a custom request header to get > the WWW-Authenticate response header.
Yes.. What I said. Introducing wrong HTTP response is plainly wrong. Especially in a database with a REST api. > > If you add a header called X-CouchDB-WWW-Authenticate then the value > of that header is returned, verbatim, in WWW-Authenticate if > authentication fails. That's not what I mean. I mean that we could detect authentication from js and send a different header (401, but no WWW-Header) if not authenticated. We already do that for cookie auth btw for same purpose. - benoit
