I'm not sure if I'm doing something wrong or there's a bug of some kind. If it is a bug, then I'd think this would have cropped up immediately. Either way:
I'm using the extension method RequiresAuthentication from here:
Which uses SecurityHooks
Or the code specifically:
public static void RequiresAuthentication(this INancyModule module)
{
module.AddBeforeHookOrExecute(SecurityHooks.RequiresAuthentication(), "Requires Authentication");
}
SecurityHooks:
public static Func<NancyContext, Response> RequiresAuthentication()
{
return UnauthorizedIfNot(ctx => ctx.CurrentUser.IsAuthenticated());
}
private static Func<NancyContext, Response> UnauthorizedIfNot(Func<NancyContext, bool> test)
{
return HttpStatusCodeIfNot(HttpStatusCode.Unauthorized, test);
}
private static Func<NancyContext, Response> HttpStatusCodeIfNot(HttpStatusCode statusCode, Func<NancyContext, bool> test)
{
return (ctx) =>
{
Response response = null;
if (!test(ctx))
{
response = new Response { StatusCode = statusCode };
}
return response;
};
}
As you can see HttpStatusCode.Unauthorized should be returned if the user isn't authenticated. Seems easy enough. When I make an AJAX call to a route like:
Post["/comment/flag/{Id}"] = s =>
{
this.RequiresAuthentication();
return new IdResponse { Id = commentRepo.FlagComment(Context.CurrentUser.UserName, s.Id) };
};
I'm getting back a 303, which then redirects to the login URL with a 200. Yucky. Not expected at all.
Just to make sure I'm not totally crazy, I did the following and it worked fine:
Post["/comment/{Id}"] = s =>
{
if ((Context.CurrentUser == null) ||
String.IsNullOrWhiteSpace(Context.CurrentUser.UserName))
{
return HttpStatusCode.Forbidden;
}
var req = this.Bind<CommentRequest>();
return commentRepo.AddComment(Context.CurrentUser.UserName, s.Id, req.Comment);
};
This returns the expected 403. But who wants to paste this all over the place...not me. I'm trying to figure out how to write my own thing that executes before the route is run but I'm new to Nancy.
Curiously, if I change the:
return HttpStatusCode.Forbidden;
into a
return new Response { StatusCode = HttpStatusCode.Forbidden };
Then I get the 303 and 200 responses again. Something seems broken. Can anyone give me some insight or an answer of what I'm doing wrong? Nancy seems broken to me, specifically the Response class...
Currently it returns HttpStatusCode.Unauthorized or a 401 which seems to be correct. I tried setting the ContentType to application/json as well and that didn't help.
When I changed it to return a 403 it sends back a 403. Although I suppose technically this isn't the correct response, it is better then the mysterious 303 I was getting before.