ServiceStack 4.0.30 - CredentialsAuthProvider - Not Setting 401 Status on Failed Authentication

Question

I just updated to 4.0.30 and noticed that /auth?username=xxxx&password=xxxx returns a 200 status regardless of if the user successfully authenticated or not. Even tried using PostMan. What, if anything, has changed as I don't see anything in any recent change logs?

mythz · Accepted Answer

If you're not authenticated /auth returns a 401 Not Authenticated, e.g:

https://httpbenchmarks.servicestack.net/auth

The AuthenticateService lets you authenticate with a Get(Authenticate request) Request, but if you provide an incorrect username or password it will return a 401 Invalid UserName or Password, e.g:

https://httpbenchmarks.servicestack.net/auth?username=xxx&password=xxx

But you can login with the right username and password:

https://httpbenchmarks.servicestack.net/auth?username=test@test.com&password=test

In which case if you are authenticated /auth will return a 200 with summary Session info, e.g:

https://httpbenchmarks.servicestack.net/auth

{
  "UserId": "59",
  "SessionId": "Jtp6IYoTnW460xGNTGSE",
  "UserName": "test@test.com",
  "DisplayName": "Test Test",
  "ResponseStatus": { }
}

Note: you should be explicit with which Auth Provider you want to login with, e.g. for authenticating with UserName/Password you should use the explicit /auth/credentials route.

ServiceStack 4.0.30 - CredentialsAuthProvider - Not Setting 401 Status on Failed Authentication

Answers (1)

Related Questions