Search code examples
servicestackservicestack-auth

ServiceStack 4.0.30 - CredentialsAuthProvider - Not Setting 401 Status on Failed Authentication


I just updated to 4.0.30 and noticed that /auth?username=xxxx&password=xxxx returns a 200 status regardless of if the user successfully authenticated or not. Even tried using PostMan. What, if anything, has changed as I don't see anything in any recent change logs?


Solution

  • If you're not authenticated /auth returns a 401 Not Authenticated, e.g:

    https://httpbenchmarks.servicestack.net/auth

    The AuthenticateService lets you authenticate with a Get(Authenticate request) Request, but if you provide an incorrect username or password it will return a 401 Invalid UserName or Password, e.g:

    https://httpbenchmarks.servicestack.net/auth?username=xxx&password=xxx

    But you can login with the right username and password:

    https://httpbenchmarks.servicestack.net/[email protected]&password=test

    In which case if you are authenticated /auth will return a 200 with summary Session info, e.g:

    https://httpbenchmarks.servicestack.net/auth

    {
      "UserId": "59",
      "SessionId": "Jtp6IYoTnW460xGNTGSE",
      "UserName": "[email protected]",
      "DisplayName": "Test Test",
      "ResponseStatus": { }
    }
    

    Note: you should be explicit with which Auth Provider you want to login with, e.g. for authenticating with UserName/Password you should use the explicit /auth/credentials route.