Hacker News new | past | comments | ask | show | jobs | submit login

One would assume that absence of credentials would necessarily = auth failure.

Like, the basic flow would check the validity and, implicitly, the presence of the auth header. To bypass auth in the case of the absence of the header itself would need to be an explicit conditional. IF no header, then authenticated. Right? That’s crazy.

I suppose I could look at the code.

On the other hand MS enforced strict auth policies to access their Office APIs in a ridiculous fashion. When I needed to register my applications at MS, I just dropped integration into their services and I never looked back.

That's the kind of thing where a unit test would be useful and easy..

I'd probably forget to write it... but it would be useful and easy.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact