@evan in the end the Announce activities pushed by tags.pub have started appearing on the server where I had the issues. :D
Discussion
Replies:
5
@mariusor I think what I try to do is:
401 - no authentication provided
403 - authentication is present and valid, but not authorized
400 - authentication is present but not valid, like missing fields
Does that seem right to you?
Also, I think the `created` timestamp is necessary for preventing replay attacks. It's pretty important!
@evan I think missing fields should also signify an unauthorized request... I'm not an expert what a "bad request" means, but I would interpret it as "the request does not have all necessary components for the server be able to compose a valid response".
An authorization header is not part of that in my opinion, but I'm willing to entertain the idea. :)
(Also I'm pretty sure I'm appending the created timestamp... but maybe I missed to test for that... I'll get back to you if it's my problem)
@mariusor I think you might be right. I think if the request is invalid, it should return 401 with the WWW-Authenticate header and the required headers.
