如果用户尝试使用错误的用户名/密码登录，但格式正确，返回的适当 HTTP 状态代码是什么? [英] What's the appropriate HTTP status code to return if a user tries logging in with an incorrect username / password, but correct format?

问题描述

这里发布了一个类似的问题:REST API 服务在验证失败时返回的适当 HTTP 状态代码是什么?

A similar question is posted here: What's an appropriate HTTP status code to return by a REST API service for a validation failure?

上面线程中的答案指出例如，如果 URI 应该具有 ISO-8601 日期，而您发现它的格式错误或指的是 2 月 31 日，那么您将返回 HTTP 400.同上如果您希望实体主体中的 XML 格式正确，但它无法解析."

The answer in the thread above states that "For instance if the URI is supposed to have an ISO-8601 date and you find that it's in the wrong format or refers to February 31st, then you would return an HTTP 400. Ditto if you expect well-formed XML in an entity body and it fails to parse."

但是，如果用户提交的数据格式正确，会发生什么?我的意思是，用户提交了一个简单的字母字符串/文本作为用户名和密码(这对我的应用程序完全有效).唯一的问题是密码与用户名不匹配.在这种情况下，400 将是不正确的，因为它是完全有效的语法并且格式正确.

However, what happens if the user submitted correctly formatted data? By this I mean, the user submitted a plain alphabetical string / text for the username and password (which is perfectly valid for my application). The only issue is that the password did not match with the username. In this case, 400 will be incorrect because it is perfectly valid syntax and well-formed.

401 是不正确的(如此处所建议的:哪个 HTTP 状态代码表示用户名或密码不正确?) 因为用户没有尝试访问任何页面，他只是尝试登录并输入不匹配的数据.

A 401 would be incorrect (as suggested here: Which HTTP status code to say username or password were incorrect?) because the user is not trying to access any page, he is simply trying to login and entered data which does not match.

如果你回顾我链接到的第一篇文章，第二个答案指出 422 是正确的响应(对我来说它看起来是正确的)，但是，我使用的是 Django Rest Framework 并且 422 不是状态的一部分代码(可以在此处找到作为 DRF 一部分的状态代码列表:http://www.django-rest-framework.org/api-guide/status-codes/#client-error-4xx)

If you look back at the first post I linked to, the second answer states that 422 is the correct response (and it looks correct to me), however, I am using Django Rest Framework and 422 is not part of the status codes (a list of the status codes which are part of DRF can be found here: http://www.django-rest-framework.org/api-guide/status-codes/#client-error-4xx)

404 看起来也不对，因为数据被成功接受而不是被拒绝.

404 also doesn't look right because the data is successfully accepted and not refused.

话虽如此，应该使用的真正正确的响应是什么?

With that said, what is the real correct response which should be used?

推荐答案

如果您对 REST API 严格使用 RFC 7235 提供的 HTTP 身份验证框架，正确的 HTTP 代码实际上应该是 401. 来自 RFC:

If you are strictly using the HTTP authentication framework provided by RFC 7235 for your REST API, the correct HTTP code would actually be 401. From the RFC:

401(未授权)状态代码表示请求尚未应用，因为它缺少目标资源的有效身份验证凭据.生成 401 响应的服务器必须发送 WWW-Authenticate 标头字段(第 4.1 节)，其中包含至少一个适用于目标资源的质询.

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.

如果请求包含身份验证凭据，则 401 响应表明这些凭据的授权已被拒绝. 用户代理可以使用新的或替换的授权标头字段重复请求(第 4.2 节).

If the request included authentication credentials, then the 401 response indicates that authorization has been refused for those credentials. The user agent MAY repeat the request with a new or replaced Authorization header field (Section 4.2).

您的 REST API 应采用身份验证方案以某种方式向您的客户返回有效的 401 响应.

Your REST API should employ an authentication scheme of some sort in order to return a valid 401 response to your client.

RFC 7235 第 4 页的另一个相关部分:

Another pertinent section from RFC 7235, page 4:

收到对受保护资源的请求时省略
凭据，包含无效凭据(例如，错误的密码) 或
部分凭据(例如，当身份验证方案需要
多次往返)，源服务器应该发送 401
包含 WWW-Authenticate 标头字段的(未授权)响应至少有一个(可能是新的)挑战适用于
请求的资源.

Upon receipt of a request for a protected resource that omits
credentials, contains invalid credentials (e.g., a bad password) or
partial credentials (e.g., when the authentication scheme requires
more than one round trip), an origin server SHOULD send a 401
(Unauthorized) response that contains a WWW-Authenticate header field with at least one (possibly new) challenge applicable to the
requested resource.

更高级别的响应，例如为可视用户呈现的登录页面(通过 302 从受保护的资源重定向)，最好使用 200 状态代码(例如，根据 @KernelDeimos 的回答).由于登录页面通常是他们自己的资源(例如 /login?redirect=original-resource)，未经身份验证的用户仍然有权查看此页面，即使他们提供了不正确的用户名/密码.然后，您将经过身份验证的用户重定向回资源，此时将显示 200(如果允许)或 403(如果用户被禁止查看资源).

A higher-level response, such as a rendered login page for a visual user (redirected from a protected resource via 302), would be better served with the 200 status code (per @KernelDeimos' answer, for example). Since login pages are typically their own resource (e.g. /login?redirect=original-resource), the unauthenticated user is still authorized to see this page, even if they provide an incorrect username/password. Then, you redirect the authenticated user back to the resource, at which point would show 200 if allowed, or 403 if the user is forbidden to view the resource.

401 可以与可视化登录页面一起发挥作用的区域是一个前端库，它利用 XHR 请求利用 REST API，然后将来自 REST API 的 401 响应中继回登录页面上的有意义的格式.

The area where 401 could come into play with a visual login page is a front-end library that leverages the REST API using XHR requests, then relay the 401 response from the REST API back into a meaningful format on the login page.

这篇关于如果用户尝试使用错误的用户名/密码登录，但格式正确，返回的适当 HTTP 状态代码是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！