I just updated to 4.0.30 and noticed that /auth?username=xxxx&password=xxxx returns a 200 status regardless of if the user successfully authenticated or not. Even tried using PostMan. What, if anything, has changed as I don't see anything in any recent change logs?
If you're not authenticated /auth returns a 401 Not Authenticated, e.g:
https://httpbenchmarks.servicestack.net/auth
The AuthenticateService lets you authenticate with a Get(Authenticate request) Request, but if you provide an incorrect username or password it will return a 401 Invalid UserName or Password, e.g:
https://httpbenchmarks.servicestack.net/auth?username=xxx&password=xxx
But you can login with the right username and password:
https://httpbenchmarks.servicestack.net/auth?username=test@test.com&password=test
In which case if you are authenticated /auth will return a 200 with summary Session info, e.g:
https://httpbenchmarks.servicestack.net/auth
{
"UserId": "59",
"SessionId": "Jtp6IYoTnW460xGNTGSE",
"UserName": "test@test.com",
"DisplayName": "Test Test",
"ResponseStatus": { }
}
Note: you should be explicit with which Auth Provider you want to login with, e.g. for authenticating with UserName/Password you should use the explicit /auth/credentials route.