WEBrick sending wrong http status code?

Testing my login page, when I POST the wrong password I should expect a 401 Unauthorized http status code back. Here is the session#create controller method where I use :status => :unauthorized (using sproutcore, so I'm returning JSON):

  def create     user = User.authenticate(params[:email], params[:password])     if user.nil?       puts("debug: user did not authenticate")

      respond_to do |format|         format.json do           render(:json => {:status => :unauthorized}) ##### return 401 ######         end       end

    else       puts("user: #{user}")       sign_in(user)       respond_to do |format|         format.json do           render(:json => {:content => json_for_user(user), :location => user_path(user)})         end       end     end   end

here's what the WEBrick console is showing me:

Started POST "/sessions" for 127.0.0.1 at 2011-05-07 23:28:36 -0400   Processing by SessionsController#create as JSON   Parameters: {"email"=>"a@b.com", "password"=>"[FILTERED]"}   User Load (0.4ms) SELECT "users".* FROM "users" WHERE "users"."email" = 'a@b.com' LIMIT 1 Completed 200 OK in 29ms (Views: 1.7ms | ActiveRecord: 0.4ms)

here is what Sproutcore is getting back:

~ PROXY: POST 200 /sessions -> http://localhost:3000/sessions    content-type: application/json; charset=utf-8    etag: "0bfdc0989b2b4dfb5706ab29694db1cc"    cache-control: max-age=0, private, must-revalidate    x-ua-compatible: IE=Edge    x-runtime: 0.049420    server: WEBrick/1.3.1 (Ruby/1.9.2/2011-02-18)    date: Sun, 08 May 2011 03:28:36 GMT    content-length: 25    set-cookie: _mercury_session=BAh7BkkiD3Nlc3Npb25faWQGOgZFRiIlZWEzNjk0YTA0NDQyYjZhYTE5MjJlOWRkMDU2NWEyMmM%3D--d117484163dcb37bcc5928c2edd4d0a9ad4bcda2; path=/; HttpOnly

Why isn't rails sending back a 401? Am I doing something wrong?

Michael

Why would the web server

Testing my login page, when I POST the wrong password I should expect a 401 Unauthorized http status code back. Here is the session#create controller method where I use :status => :unauthorized (using sproutcore, so I'm returning JSON):

What your code is actually doing is producing a 200 response, whose body is {status: "unauthorised"}.

The http status to return goes at the top level, eg render :status => :unauthorized, ... (you can use the head method if you don't want to provide a body, eg head :unauthorized )

Fred

Thanks, this helped. For future reference, the code I wrote that worked is:

format.json {head(:unauthorized)}

Michael