Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Response types for forbidden resources #454

Closed
acoburn opened this issue Aug 1, 2019 · 3 comments
Closed

Response types for forbidden resources #454

acoburn opened this issue Aug 1, 2019 · 3 comments
Assignees
Milestone

Comments

@acoburn
Copy link
Member

acoburn commented Aug 1, 2019

For background, please see solid/specification#14

From section 6.5.3 of RFC 7231

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).

Trellis currently conforms to this. The HTTP specification goes on to state:

An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).

It would be nice to make this response type configurable in Trellis. That is, by default, a 403 Forbidden response will be generated for this condition, but a server administrator could configure the server to "hide" these resources by having it respond instead with a 404 Not Found.

@acoburn acoburn changed the title Response types for inaccessible resources Response types for forbidden resources Aug 1, 2019
@acoburn acoburn added this to the 0.9.0 Release milestone Aug 1, 2019
@acoburn acoburn self-assigned this Aug 1, 2019
acoburn added a commit that referenced this issue Aug 1, 2019
Resolves #454

This makes it possible to "hide" forbidden resources. That is, rather
than responding with a 403 Forbidden code, an admin can configure the
server to respond with a 404 Not Found instead. This may be useful for
applications that wish to have greater privacy controls.
acoburn added a commit that referenced this issue Aug 1, 2019
Resolves #454

This makes it possible to "hide" forbidden resources. That is, rather
than responding with a 403 Forbidden code, an admin can configure the
server to respond with a 404 Not Found instead. This may be useful for
applications that wish to have greater privacy controls.
@ajs6f
Copy link
Member

ajs6f commented Aug 1, 2019

I'm not going to lie down in the road over this, but I must disagree. This seems like a perfect example of something that should be done at an outer layer of architecture (e.g. in the caching layer or via some other proxy). Converting 403->404 inside the repository means that clients for indexing or journaling will not know whether to authenticate or to assume a missing resource. Logs for proxy layers will contain less information. "Downsampling" information internally seems premature.

This seems to me like a perfect candidate for Trellis judo: doing the work not by adding code (to maintain forever) but by documenting a sound pattern that can be implemented in your choice of technology (httpd, Camel, etc.).

@acoburn
Copy link
Member Author

acoburn commented Aug 1, 2019

That is an excellent argument. There are multiple ways one could handle a mapping of 403 -> 404 codes in various points of external layers. Putting this inside the AuthZ code adds complexity -- complexity that could be clearly handled elsewhere.

@acoburn acoburn closed this as completed Aug 1, 2019
@ajs6f
Copy link
Member

ajs6f commented Aug 1, 2019

If it's worth doing, it's worth not doing.

Something about that doesn't sound quite right, but I'm sure it all works out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants