HTTP 401 on failed login #960

New Issue

Closed

opened 2025-11-02 03:43:20 -06:00 by GiteaMirror · 9 comments

GiteaMirror commented 2025-11-02 03:43:20 -06:00

Owner

Copy Link

Originally created by @rems4e on GitHub (Aug 13, 2017).

• Gitea version (or commit ref): 1.1.3
• Git version: 2.11
• Operating system: Debian Stretch
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL) https://try.gitea.io/user/login
  • No
  • Not relevant
• Log gist:

Description

When purposely causing a login error on Gitea, I can see (using web inspector and/or logfiles) that the HTTP return code is 200, i.e. "everything is ok", for the page that presents the error to the user.

It would be great if Gitea would return a 401 ("Unauthorized", see here).

Indeed, I think a 401 code in the webserver logs has great security value, and makes it easy to integrate with solutions such as Fail2Ban and others.

If this change were made, there would be absolutely no impact on the user.

Screenshots

Originally created by @rems4e on GitHub (Aug 13, 2017). <!-- 1. Please speak English, this is the language all of us can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/NsatcWJ) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): 1.1.3 - Git version: 2.11 - Operating system: Debian Stretch - Database (use `[x]`): - [ ] PostgreSQL - [x] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [x] Yes (provide example URL) https://try.gitea.io/user/login - [ ] No - [ ] Not relevant - Log gist: ## Description When purposely causing a login error on Gitea, I can see (using web inspector and/or logfiles) that the HTTP return code is 200, i.e. "everything is ok", for the page that presents the error to the user. It would be great if Gitea would return a 401 ("Unauthorized", see [here](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_errors)). Indeed, I think a 401 code in the webserver logs has great security value, and makes it easy to integrate with solutions such as Fail2Ban and others. If this change were made, there would be absolutely no impact on the user. ## Screenshots <!-- **If this issue involves the Web Interface, please include a screenshot** --> 

GiteaMirror added the type/proposal label 2025-11-02 03:43:20 -06:00

GiteaMirror closed this issue 2025-11-02 03:43:20 -06:00

GiteaMirror commented 2025-11-02 03:43:20 -06:00

Author

Owner

Copy Link

@daviian commented on GitHub (Aug 17, 2017):

I agree with that.

@lunny Can I work on that as a starter for contribution? ;-)

@daviian commented on GitHub (Aug 17, 2017): I agree with that. @lunny Can I work on that as a starter for contribution? ;-)

GiteaMirror commented 2025-11-02 03:43:21 -06:00

Author

Owner

Copy Link

@lafriks commented on GitHub (Aug 17, 2017):

@daviian sure, go ahead but this should be tested on all supported browsers if this works as expected and displays correct content not generic browser error page

@lafriks commented on GitHub (Aug 17, 2017): @daviian sure, go ahead but this should be tested on all supported browsers if this works as expected and displays correct content not generic browser error page

GiteaMirror commented 2025-11-02 03:43:21 -06:00

Author

Owner

Copy Link

@sapk commented on GitHub (Aug 17, 2017):

@daviian This should be easy to start (should be near https://github.com/go-gitea/gitea/blob/master/routers/user/auth.go#L133).
Don't forget to read : CONTRIBUTING.
Feel free to add integration test (this will maybe broke some)

And don't hesitate to ask any question here or on discord

Have fun 😄

@sapk commented on GitHub (Aug 17, 2017): @daviian This should be easy to start (should be near https://github.com/go-gitea/gitea/blob/master/routers/user/auth.go#L133). Don't forget to read : [CONTRIBUTING](https://github.com/go-gitea/gitea/blob/master/CONTRIBUTING.md). Feel free to add integration test (this will maybe broke some) And don't hesitate to ask any question here or on [discord](https://discord.gg/NsatcWJ) Have fun :smile:

GiteaMirror commented 2025-11-02 03:43:21 -06:00

Author

Owner

Copy Link

@daviian commented on GitHub (Aug 18, 2017):

After having a look into the code I found out that the HTTP status code is wrong in multiple cases.
The function used for prompting errors in form validation should generally return the 400 Bad Request status code, but instead it returns 200..
But this is a major change because it is used throughout gitea.

I think the most beautiful solution would be to extend this function with a status code parameter, but that would have a huge impact on other parts of the code.
In a first step I could remove the usage of this function for the authentication errors to return a 401 code.

@daviian commented on GitHub (Aug 18, 2017): After having a look into the code I found out that the HTTP status code is wrong in multiple cases. The function used for prompting errors in form validation should generally return the `400 Bad Request` status code, but instead it returns `200`.. But this is a major change because it is used throughout gitea. I think the most beautiful solution would be to extend this function with a status code parameter, but that would have a huge impact on other parts of the code. In a first step I could remove the usage of this function for the authentication errors to return a `401` code.

GiteaMirror commented 2025-11-02 03:43:21 -06:00

Author

Owner

Copy Link

@ethantkoenig commented on GitHub (Aug 20, 2017):

I'm not sure returning a 401 on failed login is the correct thing to do; see https://stackoverflow.com/questions/8273757/should-a-failed-login-attempt-result-in-a-http-401-response

I've investigated several public-facing sites (Google, Amazon, Instagram, Github, Gitlab), and none of them returned 401 on failed login.

@ethantkoenig commented on GitHub (Aug 20, 2017): I'm not sure returning a 401 on failed login is the correct thing to do; see https://stackoverflow.com/questions/8273757/should-a-failed-login-attempt-result-in-a-http-401-response I've investigated several public-facing sites (Google, Amazon, Instagram, Github, Gitlab), and none of them returned 401 on failed login.

GiteaMirror commented 2025-11-02 03:43:22 -06:00

Author

Owner

Copy Link

@rems4e commented on GitHub (Aug 20, 2017):

To my surprise, I've seen that they don't. I guess they don't apply Fail2Ban rules on an Apache reverse proxy's log file like I'm currently doing!

Maybe it was an XY-problem and what we should have is a log file with the IP of the offenders (but this won't solve the issue if the reverse proxy is on another machine).

But I know that Jenkins CI app does return a 401 on failed logins, and beside infringing the RFC quoted on StackOverflow, it's damn pratical :)

@rems4e commented on GitHub (Aug 20, 2017): To my surprise, I've seen that they don't. I guess they don't apply Fail2Ban rules on an Apache reverse proxy's log file like I'm currently doing! Maybe it was an XY-problem and what we should have is a log file with the IP of the offenders (but this won't solve the issue if the reverse proxy is on another machine). But I know that Jenkins CI app does return a 401 on failed logins, and beside infringing the RFC quoted on StackOverflow, it's damn pratical :)

GiteaMirror commented 2025-11-02 03:43:22 -06:00

Author

Owner

Copy Link

@bkcsoft commented on GitHub (Aug 24, 2017):

Fail2Ban can never be as good at catching intrusion attemts as the application itself can. So most sites just returns 200 because that at least slows the intrusion down (the bot has to parse and check that they got in or not)

@bkcsoft commented on GitHub (Aug 24, 2017): Fail2Ban can never be as good at catching intrusion attemts as the application itself can. So most sites just returns 200 because that at least slows the intrusion down (the bot has to parse and check that they got in or not)

GiteaMirror commented 2025-11-02 03:43:22 -06:00

Author

Owner

Copy Link

@rems4e commented on GitHub (Aug 24, 2017):

I do not share this point of view entirely. I did not thought about the benefit of a 200 code you stated, though.
But I see that relevant logging information on the offending intrusion attempts will be added to Gitea, so it's OK for me :)

@rems4e commented on GitHub (Aug 24, 2017): I do not share this point of view entirely. I did not thought about the benefit of a 200 code you stated, though. But I see that relevant logging information on the offending intrusion attempts will be added to Gitea, so it's OK for me :)

GiteaMirror commented 2025-11-02 03:43:22 -06:00

Author

Owner

Copy Link

@daviian commented on GitHub (Aug 24, 2017):

Issue can be closed. Is fixed by https://github.com/go-gitea/gitea/pull/2334

@daviian commented on GitHub (Aug 24, 2017): Issue can be closed. Is fixed by https://github.com/go-gitea/gitea/pull/2334

GiteaMirror referenced this issue 2025-11-02 11:52:12 -06:00

[PR #960] [MERGED] Remove the default console logger when it is not set in the configuration #15681

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label type/proposal

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#960