WEBrick sending wrong http status code?

Testing my login page, when I POST the wrong password I should expect
a 401 Unauthorized http status code back. Here is the session#create
controller method where I use :status => :unauthorized (using
sproutcore, so I'm returning JSON):

  def create
    user = User.authenticate(params[:email], params[:password])
    if user.nil?
      puts("debug: user did not authenticate")

      respond_to do |format|
        format.json do
          render(:json => {:status => :unauthorized}) ##### return 401 ######
        end
      end

    else
      puts("user: #{user}")
      sign_in(user)
      respond_to do |format|
        format.json do
          render(:json => {:content => json_for_user(user), :location
=> user_path(user)})
        end
      end
    end
  end

here's what the WEBrick console is showing me:

Started POST "/sessions" for 127.0.0.1 at 2011-05-07 23:28:36 -0400
  Processing by SessionsController#create as JSON
  Parameters: {"email"=>"a@b.com", "password"=>"[FILTERED]"}
  User Load (0.4ms) SELECT "users".* FROM "users" WHERE
"users"."email" = 'a@b.com' LIMIT 1
Completed 200 OK in 29ms (Views: 1.7ms | ActiveRecord: 0.4ms)

here is what Sproutcore is getting back:

~ PROXY: POST 200 /sessions -> http://localhost:3000/sessions
   content-type: application/json; charset=utf-8
   etag: "0bfdc0989b2b4dfb5706ab29694db1cc"
   cache-control: max-age=0, private, must-revalidate
   x-ua-compatible: IE=Edge
   x-runtime: 0.049420
   server: WEBrick/1.3.1 (Ruby/1.9.2/2011-02-18)
   date: Sun, 08 May 2011 03:28:36 GMT
   content-length: 25
   set-cookie: _mercury_session=BAh7BkkiD3Nlc3Npb25faWQGOgZFRiIlZWEzNjk0YTA0NDQyYjZhYTE5MjJlOWRkMDU2NWEyMmM%3D--d117484163dcb37bcc5928c2edd4d0a9ad4bcda2;
path=/; HttpOnly

Why isn't rails sending back a 401? Am I doing something wrong?

Michael

Why would the web server

Testing my login page, when I POST the wrong password I should expect
a 401 Unauthorized http status code back. Here is the session#create
controller method where I use :status => :unauthorized (using
sproutcore, so I'm returning JSON):

What your code is actually doing is producing a 200 response, whose body is {status: "unauthorised"}.

The http status to return goes at the top level, eg render :status => :unauthorized, ... (you can use the head method if you don't want to provide a body, eg head :unauthorized )

Fred

Thanks, this helped. For future reference, the code I wrote that
worked is:

format.json {head(:unauthorized)}

Michael