off-topic, but it always amaze me how 'chappeau' finished with 2 'p', as did a lot of English words derived from middle/old french (single to double-n or double-p are common).
Out of curiosity from a non-native speaker : does the double-p makes it more idiomatic for native English speakers ?
The application may return a different HTTP Error code depending on the authentication attempt response. It may respond with a 200 for a positive result and a *403* for a negative result.
I would say a 401 - Unauthorized with proper WWW-Authenticate header.
403 means forbidden, which apply to when you try to access a resource without permission / authorization
Select:
PBKDF2 [*4] when FIPS certification or enterprise support on many platforms is required;
scrypt [*5] where resisting any/all hardware accelerated attacks is necessary but support isn’t.
bcrypt where PBKDF2 or scrypt support is not available.
There are different interpretations of what 401 should be used for. The spec only handles WWW-Authenticate authentication, which is pretty limited and not universally used (Bearer auth is occasionally used for APIs but Basic auth is pretty rare -- especially in end-user-facing parts of the web). The problem is likely that when the status codes were defined nobody thought people would ever need to build their own login forms.
I agree that it is more useful to use 401 to indicate that some form of authentication is required or has failed, and 403 to indicate that you are authenticated but not allowed to access something (which is what the spec emphasizes).
IOW, 403 should be "Unauthorized", 401 should be "Unauthenticated". Sadly the spec mixes those two meanings in various places.
We're building solutions for real-time telemedicine using modern web technologies.
Our stack is Go, Python, Node for backend and JS (+ WebRTC, WebSocket and SSE) for front-end.
We are looking for a JS front-end developer to join the team. You'll work on our real-time frontends and some mobile (hybrid) apps.
Drop me a line at jcbohin@parsys.com