Use status instead of message for error responses to detect Unauthorized requests

[Legion2]

With HTTP2 there is no status code reason-phrase and even in HTTP1 it is optional. Therefore the response status codes must be used to detect unauthorized request errors.

fix #1018

@ghys based on your comment I assume the second argument is the integer status code, I did not test this code, but I think it should work.

[Legion2]

@ghys ESLint is complaining about "Expected error to be handled node/handle-callback-err", because now I don't use the first argument of the error callback, because it is not useful in this case. Should I disable this lint rule for these two lines?

[ghys]

@ghys based on your comment I assume the second argument is the integer status code, I did not test this code, but I think it should work.

I'm absolutely not 100% sure about this, it could be an object with the code inside. Will have to check.

[ghys]

Well, actually...
Promise.reject() (and Promise.resolve() for that matter) can only pass one argument (the reason resp. the value) so this code:

openhab-webui/bundles/org.openhab.ui/web/src/js/openhab/api.js

Lines 6 to 9 in 19395df

	f7promise
	.then((data) => resolve(data.data, data.status, data.xhr))
	.catch((err) => reject(err.message, err.status, err.xhr))
	})

is completely wrong 😠. In other terms status and xhr will always be undefined.
Simply rejecting with err isn't ideal because there are lots of instances in catch clauses where the reason is assumed to be the HTTP status message ('Not found', 'Unauthorized', 'Conflict' etc.) and puts it in a toast notification.

So I guess an ugly workaround would be to change the rejection above to reject(err.message || err.status) and then check on both the status and the message (if (err === 'Unauthorized' || err === 401) {) in the catch clauses, so that it fallbacks to status code when there's no message; that way there's no code change needed elsewhere but in your case where there's no HTTP status message err would still contain 401.

[Legion2]

@ghys I updated the code according to your comments.

[ghys]

Thank you. Shame we have to deal with it like this but it'll do :)
One last thing, may I ask to add || err === 401 similarly in these two places too:

openhab-webui/bundles/org.openhab.ui/web/src/pages/home/homecards-mixin.js

Line 127 in 19395df

if (err === 'Unauthorized') {

openhab-webui/bundles/org.openhab.ui/web/src/js/openhab/auth.js

Line 95 in 19395df

if (err === 'Unauthorized') requireToken = true

These are parts of the logic that will redirect to the authorize page when you enforce authorization for the non-admin ops (Settings > API Security > Show advanced > Implicit user role for unauthenticated requests disabled).

[Legion2]

I added the workaround also to these two places.

[ghys]

Excellent, thanks!

[relativeci]

Job #113: Bundle Size — 10.43MB (~-0.01%).

c98ce20 vs da07c93

Changed metrics (1/8)

Metric	Current	Baseline
Initial JS	1.6MB(~+0.01%)	1.6MB

Changed assets by type (1/7)

	Current	Baseline
JS	8.14MB (~-0.01%)	8.14MB

---

View Job #113 report on app.relative-ci.com