kobotoolbox / kpi / 19673625562 / 1

81%

master: 76%

push

github

fix(submission): fix anonymous submission failures from `KoboCollect` DEV-1347 (#6499)

### 📣 Summary
Ensure `KoboCollect` can submit anonymously by returning 204 for `HEAD
/<username>/submission` before applying the [empty-request
authentication
check](https://github.com/kobotoolbox/kpi/blob/b4b82b809/kobo/apps/openrosa/apps/api/viewsets/xform_submission_api.py#L253-L257),
while keeping Digest authentication behavior intact.


### 📖 Description
After adding a guard to return `401` for unauthenticated empty-body POST
requests (required for Digest auth handshake), KoboCollect began failing
anonymous submissions. KoboCollect performs an initial HEAD request to
`/<username>/submission` to probe server availability. Because the guard
ran before the HEAD handler, this probe was incorrectly treated as
unauthenticated, returning 401. KoboCollect interprets a 401 on HEAD as
"credentials required" and therefore never sends the actual XML payload,
showing the login screen instead.

Enketo continued to work because it tolerates a 401 on the first probe,
but KoboCollect does not.

6900 of 11206 branches covered (61.57%)

26637 of 33745 relevant lines covered (78.94%)

0.79 hits per line