Files
nextcloud-server-mirror/lib/private
Ferdinand Thiessen 77dc78855f fix(SecurityMiddleware): return header to distinguish error type
Currently we return a 403 (Forbidden) when the password confirmation
failed - which itself seems to be inappropriate as its basically a login
failing so a 401 (not authorized) is more appropriate.

This is especially a problem because APIs might return 403 internally
for good reason (e.g. user missing permission) but 401 would not be a
problem.

But as this is a breaking change so my solution to be able to
distinguish API error from password confirmation error is:

Add a header inside the response that marks failed password confirmation
`X-NC-Auth-NotConfirmed`.

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2026-03-12 08:54:39 +00:00
..
2026-01-08 13:07:04 +00:00
2026-01-09 16:51:14 +00:00
2026-02-04 10:04:34 +00:00