Commit b08d33f6a9a82e04f288fc0a4de6d4a7489795e1
1 parent
3dd940d4
Exists in
master
and in
4 other branches
API: return 401 for invalid session
Showing
2 changed files
with
4 additions
and
5 deletions
Show diff stats
lib/api/session.rb
| @@ -8,14 +8,13 @@ module Gitlab | @@ -8,14 +8,13 @@ module Gitlab | ||
| 8 | post "/session" do | 8 | post "/session" do |
| 9 | resource = User.find_for_database_authentication(email: params[:email]) | 9 | resource = User.find_for_database_authentication(email: params[:email]) |
| 10 | 10 | ||
| 11 | - return forbidden! unless resource | 11 | + return unauthorized! unless resource |
| 12 | 12 | ||
| 13 | if resource.valid_password?(params[:password]) | 13 | if resource.valid_password?(params[:password]) |
| 14 | present resource, with: Entities::UserLogin | 14 | present resource, with: Entities::UserLogin |
| 15 | else | 15 | else |
| 16 | - forbidden! | 16 | + unauthorized! |
| 17 | end | 17 | end |
| 18 | end | 18 | end |
| 19 | end | 19 | end |
| 20 | end | 20 | end |
| 21 | - |
spec/requests/api/session_spec.rb
| @@ -19,7 +19,7 @@ describe Gitlab::API do | @@ -19,7 +19,7 @@ describe Gitlab::API do | ||
| 19 | context "when invalid password" do | 19 | context "when invalid password" do |
| 20 | it "should return authentication error" do | 20 | it "should return authentication error" do |
| 21 | post api("/session"), email: user.email, password: '123' | 21 | post api("/session"), email: user.email, password: '123' |
| 22 | - response.status.should == 403 | 22 | + response.status.should == 401 |
| 23 | 23 | ||
| 24 | json_response['email'].should be_nil | 24 | json_response['email'].should be_nil |
| 25 | json_response['private_token'].should be_nil | 25 | json_response['private_token'].should be_nil |
| @@ -29,7 +29,7 @@ describe Gitlab::API do | @@ -29,7 +29,7 @@ describe Gitlab::API do | ||
| 29 | context "when empty password" do | 29 | context "when empty password" do |
| 30 | it "should return authentication error" do | 30 | it "should return authentication error" do |
| 31 | post api("/session"), email: user.email | 31 | post api("/session"), email: user.email |
| 32 | - response.status.should == 403 | 32 | + response.status.should == 401 |
| 33 | 33 | ||
| 34 | json_response['email'].should be_nil | 34 | json_response['email'].should be_nil |
| 35 | json_response['private_token'].should be_nil | 35 | json_response['private_token'].should be_nil |