Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 500909

Summary: Authentication for blocked accounts should return 403
Product: Community Reporter: Carsten Reckord <reckord>
Component: API.eclipse.orgAssignee: Christopher Guindon <chris.guindon>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: chris.guindon, webmaster
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard:
Bug Depends on:    
Bug Blocks: 499481    

Description Carsten Reckord CLA 2016-09-06 06:36:28 EDT 
We've got a number of problem reports for the MPC Favorites service where authentication failed with

POST https://api.eclipse.org/api/user/login HTTP/1.1 406 Not Acceptable : Account is temporarily blocked.

406 is for content negotiation, not authentication, so we handle it as a general request failure, not an authentication failure. The server should return a 403 instead:

403 Forbidden
The request was a valid request, but the server is refusing to respond to it. The user might be logged in but does not have the necessary permissions for the resource.

406 Not Acceptable
The requested resource is capable of generating only content not acceptable according to the Accept headers sent in the request.
Comment 1 Christopher Guindon CLA 2016-09-26 12:01:05 EDT 
Would you agree that the correct http status code here is 401?
Comment 2 Carsten Reckord CLA 2016-10-04 06:36:37 EDT 
I was suggesting 403 because it failed even though the authentication itself might have been successful, and because it makes it easy to distinguish a regular login request/failure from a blocked account, i.e. a situation where retrying won't help. 

But I guess just showing the error message to the user should be enough to inform them. So I agree, 401 is good.
Comment 3 Christopher Guindon CLA 2017-03-23 16:13:23 EDT 
(In reply to Carsten Reckord from comment #2)
> I was suggesting 403 because it failed even though the authentication itself
> might have been successful, and because it makes it easy to distinguish a
> regular login request/failure from a blocked account, i.e. a situation where
> retrying won't help. 
> 
> But I guess just showing the error message to the user should be enough to
> inform them. So I agree, 401 is good.

I tend to agree that 403 is the best error for this. 

This was fixed a while ago. Closing this bug.