oatpp-authkit

History

Uwe Schuster abf6153439 #2 : Browser-friendly 401/403 — content-negotiate JSON vs HTML/redirect AuthInterceptor previously returned application/json for every rejection, which is wrong for browser navigation: the user followed a /set-password link and saw a raw {"status":"Unauthorized"} blob. Add wantsJson() negotiation (path /api/* OR X-Requested-With OR Accept prefers application/json over text/html) and an IAuthPolicy hook unauthenticatedRedirect(path) that lets consumers bounce browser navigations to a landing/login page. JSON callers (fetch/axios) still get JSON 401/403. Default policy returns nullopt → minimal HTML error page, never raw JSON to a browser. Same hook covers both 401 and 403 (decision Option A on the issue) so consumers wire one redirect target for both unauth and forbidden cases. Bootstrap a minimal test harness (decision Option T2): CMake option OATPP_AUTHKIT_BUILD_TESTS gates enable_testing() + a tests subdir. Adds test_negotiation covering wantsJson + urlEncode. No third-party test framework — assertions use <cassert> + a tiny REQUIRE macro so the suite stays dependency-free for future tests. Closes #2 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-25 13:23:08 +02:00
..
CMakeLists.txt	#2 : Browser-friendly 401/403 — content-negotiate JSON vs HTML/redirect	2026-04-25 13:23:08 +02:00
test_negotiation.cpp	#2 : Browser-friendly 401/403 — content-negotiate JSON vs HTML/redirect	2026-04-25 13:23:08 +02:00

Uwe Schuster abf6153439 #2 : Browser-friendly 401/403 — content-negotiate JSON vs HTML/redirect

AuthInterceptor previously returned application/json for every rejection,
which is wrong for browser navigation: the user followed a /set-password
link and saw a raw {"status":"Unauthorized"} blob.

Add wantsJson() negotiation (path /api/* OR X-Requested-With OR Accept
prefers application/json over text/html) and an IAuthPolicy hook
unauthenticatedRedirect(path) that lets consumers bounce browser
navigations to a landing/login page. JSON callers (fetch/axios) still
get JSON 401/403. Default policy returns nullopt → minimal HTML error
page, never raw JSON to a browser.

Same hook covers both 401 and 403 (decision Option A on the issue) so
consumers wire one redirect target for both unauth and forbidden cases.

Bootstrap a minimal test harness (decision Option T2): CMake option
OATPP_AUTHKIT_BUILD_TESTS gates enable_testing() + a tests subdir.
Adds test_negotiation covering wantsJson + urlEncode. No third-party
test framework — assertions use <cassert> + a tiny REQUIRE macro so the
suite stays dependency-free for future tests.

Closes #2

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-25 13:23:08 +02:00

CMakeLists.txt

#2 : Browser-friendly 401/403 — content-negotiate JSON vs HTML/redirect

2026-04-25 13:23:08 +02:00

test_negotiation.cpp

#2 : Browser-friendly 401/403 — content-negotiate JSON vs HTML/redirect

2026-04-25 13:23:08 +02:00