I’m not sure. I was actually asking. And I’m not even sure enough to tell if this is a joke reply you’re making or not. Lol.
I just assume the process is to start a general session. Rather than accessing the request to the resource directly.
So, I guess it would be abstracted a bit though. The user COULD be successful at starting the session. Get a success response to redirect to the resource they are trying to reach AFTER the session starts. Then once they are logged in their privileges are checked on that resource. Either returning an unauthorized response or the actual content.
So, I’d guess this is (at minimum) a two step process. Though from a user perspective they just login and get the resource.
If the login fails it’s just a single response. I’d guess for security just a 200 response but with no session token or response.
Honestly, I’m just typing this for my brain to try to remember the small amount of work I did with Redfish and RESTful stuff awhile back.
But, you are right. There isn’t a reason to give the user html error codes that can tell them anything more than they should know. Without a user session or without user privileges it’s just telling users more than they should. Redirecting to a 404 page with the same generic response is probably best practice. As long as it’s consistent.
I’m not sure. I was actually asking. And I’m not even sure enough to tell if this is a joke reply you’re making or not. Lol.
I just assume the process is to start a general session. Rather than accessing the request to the resource directly.
So, I guess it would be abstracted a bit though. The user COULD be successful at starting the session. Get a success response to redirect to the resource they are trying to reach AFTER the session starts. Then once they are logged in their privileges are checked on that resource. Either returning an unauthorized response or the actual content.
So, I’d guess this is (at minimum) a two step process. Though from a user perspective they just login and get the resource.
If the login fails it’s just a single response. I’d guess for security just a 200 response but with no session token or response.
Honestly, I’m just typing this for my brain to try to remember the small amount of work I did with Redfish and RESTful stuff awhile back.
But, you are right. There isn’t a reason to give the user html error codes that can tell them anything more than they should know. Without a user session or without user privileges it’s just telling users more than they should. Redirecting to a 404 page with the same generic response is probably best practice. As long as it’s consistent.