如果用户尝试使用不正确的用户名/密码登录,但格式正确,则返回的适当HTTP状态代码是什么? [英] What's the appropriate HTTP status code to return if a user tries logging in with an incorrect username / password, but correct format?
问题描述
类似的问题在这里发布:由REST API服务返回的验证失败的适当HTTP状态代码是什么?
A similar question is posted here: What's an appropriate HTTP status code to return by a REST API service for a validation failure?
上面的线程表示例如,如果URI应该具有ISO-8601日期,并且发现它的格式错误或指向2月31日,那么您将返回一个HTTP 400.同样如果您期望格式良好XML在一个实体体中,它无法解析。
The answer in the thread above states that "For instance if the URI is supposed to have an ISO-8601 date and you find that it's in the wrong format or refers to February 31st, then you would return an HTTP 400. Ditto if you expect well-formed XML in an entity body and it fails to parse."
但是,如果用户提交的格式正确的数据会怎么样?这意味着,用户提交了用于用户名和密码的纯文本字符串/文本(对我的应用程序是完全有效的)。唯一的问题是密码与用户名不匹配。在这种情况下,400将是不正确的,因为它是完全有效的语法和良好的形式。
However, what happens if the user submitted correctly formatted data? By this I mean, the user submitted a plain alphabetical string / text for the username and password (which is perfectly valid for my application). The only issue is that the password did not match with the username. In this case, 400 will be incorrect because it is perfectly valid syntax and well-formed.
401将不正确(如下所示:哪个HTTP状态代码说用户名或密码不正确?),因为用户没有尝试访问任何页面,他只是试图登录,输入的数据不匹配。
A 401 would be incorrect (as suggested here: Which HTTP status code to say username or password were incorrect?) because the user is not trying to access any page, he is simply trying to login and entered data which does not match.
如果你回顾我链接的第一个帖子,第二个回答说422是正确的回应(它看起来是正确的我),但是,我正在使用Django Rest框架,422不是状态代码的一部分(作为DRF的一部分的状态代码列表可以在这里找到: http://www.django-rest-framework.org/api-guide/status-codes/ #client-error-4xx )
If you look back at the first post I linked to, the second answer states that 422 is the correct response (and it looks correct to me), however, I am using Django Rest Framework and 422 is not part of the status codes (a list of the status codes which are part of DRF can be found here: http://www.django-rest-framework.org/api-guide/status-codes/#client-error-4xx)
404也不正确,因为数据被成功接受而不被拒绝。
404 also doesn't look right because the data is successfully accepted and not refused.
这样说,应该使用真正的正确答案是什么?
With that said, what is the real correct response which should be used?
推荐答案
正确的HTTP代码实际上是401 。从 RFC :
The correct HTTP code would actually be 401. From the RFC:
401(未经授权)状态码表示该请求尚未应用,因为它缺少目标资源的有效身份验证凭据。生成401响应的服务器必须发送包含至少一个适用于目标资源的挑战的WWW-Authenticate头域(第4.1节)。
The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.
如果请求包含身份验证凭证,则401响应表明该凭证已被拒绝。用户代理可以使用新的或替换的授权头域重新发送请求(第4.2节)。
If the request included authentication credentials, then the 401 response indicates that authorization has been refused for those credentials. The user agent MAY repeat the request with a new or replaced Authorization header field (Section 4.2).
这篇关于如果用户尝试使用不正确的用户名/密码登录,但格式正确,则返回的适当HTTP状态代码是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
