More detailed error message for 403 forbidden.

More detailed error message for 403 forbidden.

[Yi, EungJun]

Currently, if user tried to access a git repository via HTTP and it
fails because the user's permission is not enough to access the
repository, git client tells that http request failed and the error
was 403 forbidden.

But It is not enough for user to understand why it fails, especially
if the user don't know the username because git-credential-osxkeychain
authenticate implicitly without user knowing.

It would be much better if git client shows response body which might
include an explanation of the failure. For example,

before:

$ git clone http://localhost/foo/bar
error: The requested URL returned error: 403 while accessing
http://localhost/foo/bar
fatal: HTTP request failed

after:

$ git clone http://localhost/foo/bar
error: The requested URL returned error: 403 while accessing
http://localhost/foo/bar
remote: User 'me' does not have enough permission to access the repository.
fatal: HTTP request failed

Re: More detailed error message for 403 forbidden.

[Jeff King]

On Wed, Mar 27, 2013 at 12:29:57PM +0900, Yi, EungJun wrote:

> Currently, if user tried to access a git repository via HTTP and it
> fails because the user's permission is not enough to access the
> repository, git client tells that http request failed and the error
> was 403 forbidden.

The situations in which you'll get a 403 depend on how the server is
configured. For instance, on github.com, if you successfully
authenticate but are not authorized to access a repository, you get a
404 (we do this to avoid leaking information about which private
repositories exist). But we do provide a 403 if you try to access the
repository with a non-smart-http client.

So the "403 forbidden" there is not about your account, but about the
method; if git is going to give a more verbose message, it needs to be
careful not to mislead the user.

> It would be much better if git client shows response body which might
> include an explanation of the failure. For example,
> [...]
> $ git clone http://localhost/foo/bar
> error: The requested URL returned error: 403 while accessing
> http://localhost/foo/bar
> remote: User 'me' does not have enough permission to access the repository.
> fatal: HTTP request failed

I agree that is the best way forward, as that means the server is
telling us what is going on, and we are not guessing about the meaning
of the 403.

One problem is that the content body sent along with the error is not
necessarily appropriate for showing to the user (e.g., if it is HTML, it
is probably not a good idea to show it on the terminal). So I think we
would want to only show it when the server has indicated via the
content-type that the message is meant to be shown to the user. I'm
thinking the server would generate something like:

   HTTP/1.1 403 Forbidden
   Content-type: application/x-git-error-message

   User 'me' does not have enough permission to access the repository.

which would produce the example you showed above.

-Peff

Re: More detailed error message for 403 forbidden.

[Jonathan Nieder]

Jeff King wrote:

> One problem is that the content body sent along with the error is not
> necessarily appropriate for showing to the user (e.g., if it is HTML, it
> is probably not a good idea to show it on the terminal). So I think we
> would want to only show it when the server has indicated via the
> content-type that the message is meant to be shown to the user. I'm
> thinking the server would generate something like:
>
>    HTTP/1.1 403 Forbidden
>    Content-type: application/x-git-error-message
>
>    User 'me' does not have enough permission to access the repository.
>
> which would produce the example you showed above.

Would it make sense to use text/plain this way?

Curious,
Jonathan

Re: More detailed error message for 403 forbidden.

[Jeff King]

On Thu, Mar 28, 2013 at 11:41:20AM -0700, Jonathan Nieder wrote:

> Jeff King wrote:
> 
> > One problem is that the content body sent along with the error is not
> > necessarily appropriate for showing to the user (e.g., if it is HTML, it
> > is probably not a good idea to show it on the terminal). So I think we
> > would want to only show it when the server has indicated via the
> > content-type that the message is meant to be shown to the user. I'm
> > thinking the server would generate something like:
> >
> >    HTTP/1.1 403 Forbidden
> >    Content-type: application/x-git-error-message
> >
> >    User 'me' does not have enough permission to access the repository.
> >
> > which would produce the example you showed above.
> 
> Would it make sense to use text/plain this way?

Maybe. But I would worry somewhat about sites which provide a useless
and verbose text/plain message. Ideally an x-git-error-message would be
no more than few lines, suitable for the error message of a terminal
program. I would not want a site-branded "Your page cannot be found.
Here's a complete navigation bar" page to be spewed to the terminal.
Those tend to be text/html, though, so we may be safe. It's just that
we're gambling on what random servers do, and if we show useless spew
even some of the time, that would be a regression.

-Peff

Re: More detailed error message for 403 forbidden.

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> One problem is that the content body sent along with the error is not
> necessarily appropriate for showing to the user (e.g., if it is HTML, it
> is probably not a good idea to show it on the terminal). So I think we
> would want to only show it when the server has indicated via the
> content-type that the message is meant to be shown to the user. I'm
> thinking the server would generate something like:
>
>    HTTP/1.1 403 Forbidden
>    Content-type: application/x-git-error-message
>
>    User 'me' does not have enough permission to access the repository.
>
> which would produce the example you showed above.

Actually, isn't the human-readable part of the server response meant
for this kind of thing?  I.e.

	HTTP/1.1 403 User 'me' not allowed to accept the repository.

Re: More detailed error message for 403 forbidden.

[Jeff King]

On Thu, Mar 28, 2013 at 12:11:55PM -0700, Junio C Hamano wrote:

> Jeff King <peff@peff.net> writes:
> 
> > One problem is that the content body sent along with the error is not
> > necessarily appropriate for showing to the user (e.g., if it is HTML, it
> > is probably not a good idea to show it on the terminal). So I think we
> > would want to only show it when the server has indicated via the
> > content-type that the message is meant to be shown to the user. I'm
> > thinking the server would generate something like:
> >
> >    HTTP/1.1 403 Forbidden
> >    Content-type: application/x-git-error-message
> >
> >    User 'me' does not have enough permission to access the repository.
> >
> > which would produce the example you showed above.
> 
> Actually, isn't the human-readable part of the server response meant
> for this kind of thing?  I.e.
> 
> 	HTTP/1.1 403 User 'me' not allowed to accept the repository.

In theory, yes. But I don't think that most servers make it very easy to
use custom "reason phrases" (that is the rfc 2616 term for them). At
least I could not easily figure out how to make Apache do so. You can do
so from CGIs, but I think you'd want to customize some of this at the
HTTP server level (e.g., overriding 404s with a custom message). There's
much better support at that level for custom error documents (e.g.,
Apache's ErrorDocument).

I do not configure http servers very often, though, so I could be wrong
about what is normal practice, and what is easy to do.

-Peff

Re: More detailed error message for 403 forbidden.

[Yi, EungJun]

>
> Maybe. But I would worry somewhat about sites which provide a useless
> and verbose text/plain message. Ideally an x-git-error-message would be
> no more than few lines, suitable for the error message of a terminal
> program. I would not want a site-branded "Your page cannot be found.
> Here's a complete navigation bar" page to be spewed to the terminal.
> Those tend to be text/html, though, so we may be safe. It's just that
> we're gambling on what random servers do, and if we show useless spew
> even some of the time, that would be a regression.
>
> -Peff

I completely agree with you.

And should git client need to add x-git-error-message in Accept header
and/or perhaps language preference in Accept-Language header?

    Accept: x-git-error-message, */*;q=0.8
    Accept-Language: ko,en;q=0.8