Json only - custom error status not working

91 views
Skip to first unread message

FranWorley

unread,
Oct 11, 2017, 4:03:18 AM10/11/17
to Rodauth
 plugin :rodauth, json: :only do
   enable :login, :logout,:jwt
   no_matching_login_message 'The email or password is incorrect.'
   invalid_password_message 'The email or password is incorrect.'
   jwt_secret MyApi.secrets['jwt_secret']
   json_response_custom_error_status? true
end

I've set my Rodauth enabled route up with the above and yet all error states are returned as 400 for processes handled by rodauth. Any ideas what I'm doing wrong?

I want missing or bad authentication to return a 401, and when an account is authenticated but isn’t authorized to perform the requested operation on the given resource to return 403. 

Thanks

Fran

Jeremy Evans

unread,
Oct 11, 2017, 11:32:14 AM10/11/17
to Rodauth
Are the requests being made JSON requests (does their content type include application/json or application/vnd.api.json)?  It looks like the current behavior is to check that.  Potentially the calls to json_request? should be changed to use_jwt?, so in json only mode it doesn't matter what the content type is.

Here's a diff you can try:

diff --git a/lib/rodauth/features/jwt.rb b/lib/rodauth/features/jwt.rb
index fb30cf7..199e902 100644
--- a/lib/rodauth/features/jwt.rb
+++ b/lib/rodauth/features/jwt.rb
@@ -163,7 +163,7 @@ module Rodauth

     def before_view_recovery_codes
       super if defined?(super)
-      if json_request?
+      if use_jwt?
         json_response[:codes] = recovery_codes
         json_response[json_response_success_key] ||= "" if include_success_messages?
       end
@@ -214,13 +214,13 @@ module Rodauth
     end

     def set_redirect_error_status(status)
-      if json_request? && json_response_custom_error_status?
+      if use_jwt? && json_response_custom_error_status?
         response.status = status
       end
     end

     def set_response_error_status(status)
-      if json_request? && !json_response_custom_error_status?
+      if use_jwt? && !json_response_custom_error_status?
         status = json_response_error_status
       end

If you could please try that and let me know if it works for you, I would appreciate it.  The current tests pass with it.

As a workaround in the current release, you could add the following to your rodauth configuration:

  json_request?{true}

Thanks,
Jeremy

FranWorley

unread,
Oct 19, 2017, 3:23:50 AM10/19/17
to Rodauth
Hi Jeremy, 

I've just updated to the latest version of Rodauth and I seem to be getting the right codes coming through. Thanks for all your help!

As a side point, is there any possibility of adding a separate error message for invalid current password in the change password feature? It appears to use the same attribute as the login and I want the login to display 'The email or password is incorrect.' (I don't like to let them know what the failure is at this stage) but on change password this message really doesn't make sense!

Thanks,

Fran

Jeremy Evans

unread,
Oct 19, 2017, 10:33:41 AM10/19/17
to Rodauth
Fran,

I can look into doing that before the next release.  If you want, you may want to consider submitting it as a pull request, as that would definitely speed up the process.

Thanks,
Jeremy

FranWorley

unread,
Oct 21, 2017, 4:38:56 AM10/21/17
to Rodauth
Hi Jeremy,

I've done a PR though I decided that it might be better to make a feature out of generic log errors rather than add a potentially obscurely named value method for change password invalid password errors!

Reply all
Reply to author
Forward
0 new messages