netlify/gotrue

In the event of an OAuth Error we shouldn't return a 400 always

rybit opened this issue · 4 comments

rybit commented

When we fail to login (e.g. no such user) we return a 400. The code will return an OAuth error appropriately, and then we map that to a 400. It should be a 403 in this case. I'm not sure that all of them are that way, but at least this instance.

gotrue/api/errors.go

Line 172 in 6dae5c5

if jsonErr := sendJSON(w, http.StatusBadRequest, e); jsonErr != nil {

brycekahle commented

We try to follow the OAuth spec. What does it say for this situation?

guido4000 commented

@brycekahle

We try to follow the OAuth spec. What does it say for this situation?

The OAuth spec does not seem to cover HTTP responses.
The HTTP spec defines
400 is Bad Request and
403 is Forbidden
https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

So 403 should fit better.

github-actions commented

This issue has been automatically marked as stale because it has not had activity in 1 year. It will be closed in 7 days if no further activity occurs. Thanks!

github-actions commented

This issue was closed because it had no activity for over 1 year.