kobotoolbox / kpi / 19673625562

81%

master: 76%

push

github

fix(submission): fix anonymous submission failures from `KoboCollect` DEV-1347 (#6499)

### 📣 Summary
Ensure `KoboCollect` can submit anonymously by returning 204 for `HEAD
/<username>/submission` before applying the [empty-request
authentication
check](https://github.com/kobotoolbox/kpi/blob/b4b82b809/kobo/apps/openrosa/apps/api/viewsets/xform_submission_api.py#L253-L257),
while keeping Digest authentication behavior intact.


### 📖 Description
After adding a guard to return `401` for unauthenticated empty-body POST
requests (required for Digest auth handshake), KoboCollect began failing
anonymous submissions. KoboCollect performs an initial HEAD request to
`/<username>/submission` to probe server availability. Because the guard
ran before the HEAD handler, this probe was incorrectly treated as
unauthenticated, returning 401. KoboCollect interprets a 401 on HEAD as
"credentials required" and therefore never sends the actual XML payload,
showing the login screen instead.

Enketo continued to work because it tolerates a 401 on the first probe,
but KoboCollect does not.

7103 of 11156 branches covered (63.67%)

3 of 3 new or added lines in 1 file covered. (100.0%)

27447 of 33752 relevant lines covered (81.32%)

1.6 hits per line