Commit b08d33f6a9a82e04f288fc0a4de6d4a7489795e1
1 parent
3dd940d4
Exists in
master
and in
4 other branches
API: return 401 for invalid session
Showing
2 changed files
with
4 additions
and
5 deletions
Show diff stats
lib/api/session.rb
| ... | ... | @@ -8,14 +8,13 @@ module Gitlab |
| 8 | 8 | post "/session" do |
| 9 | 9 | resource = User.find_for_database_authentication(email: params[:email]) |
| 10 | 10 | |
| 11 | - return forbidden! unless resource | |
| 11 | + return unauthorized! unless resource | |
| 12 | 12 | |
| 13 | 13 | if resource.valid_password?(params[:password]) |
| 14 | 14 | present resource, with: Entities::UserLogin |
| 15 | 15 | else |
| 16 | - forbidden! | |
| 16 | + unauthorized! | |
| 17 | 17 | end |
| 18 | 18 | end |
| 19 | 19 | end |
| 20 | 20 | end |
| 21 | - | ... | ... |
spec/requests/api/session_spec.rb
| ... | ... | @@ -19,7 +19,7 @@ describe Gitlab::API do |
| 19 | 19 | context "when invalid password" do |
| 20 | 20 | it "should return authentication error" do |
| 21 | 21 | post api("/session"), email: user.email, password: '123' |
| 22 | - response.status.should == 403 | |
| 22 | + response.status.should == 401 | |
| 23 | 23 | |
| 24 | 24 | json_response['email'].should be_nil |
| 25 | 25 | json_response['private_token'].should be_nil |
| ... | ... | @@ -29,7 +29,7 @@ describe Gitlab::API do |
| 29 | 29 | context "when empty password" do |
| 30 | 30 | it "should return authentication error" do |
| 31 | 31 | post api("/session"), email: user.email |
| 32 | - response.status.should == 403 | |
| 32 | + response.status.should == 401 | |
| 33 | 33 | |
| 34 | 34 | json_response['email'].should be_nil |
| 35 | 35 | json_response['private_token'].should be_nil | ... | ... |