Return 401 instead of 302 when it's an XmlHttpRequest
Summary
REST endpoints return a 302 Redirect when frontend makes an XHR call with an expired session. This causes the browser to follow the redirect and make another XHR call which results in a noop:
Steps to reproduce
- You'll need two tabs open.
- Make sure you're logged in.
- Create a private repository in one tab.
- Go ahead and modify the README.md file to create an MR.
- Once the MR is there, visit the other tab and sign out.
- Check the tab with the open MR and click to the
Changes
tab - When you check the console you should see this error.
It looks like the problem occurs when a user's session is over, and they keep using the tab in the MR page.
Example Project
Simply create a private repo and create an MR.
What is the current bug behavior?
XHR calls return 302.
What is the expected correct behavior?
I believe we should return a 401 when it's an XHR call and the frontend should handle the redirect.
Relevant logs and/or screenshots
See above.
Possible fixes
- Backend returns 401 instead of 302 when it's XMLHttpRequest.