/status returns an HTTP 200 "ALIVE" response to be able to perform a basic health check.
On an installation with only one authentication provider, and without public content, it redirects to that provider:
HTTP/2 302 location: https://..../oauth/.....
That doesn't make sense to require user authentication for that specific scenario, so we could directly serve the 200 ALIVE there too.
Interestingly accessing /status on secure.phabricator.com seems to return a json object instead of ALIVE.
Looking at PhabricatorStatusController.php it looks like it's trying to indicate that it doesn't require login for accessing but something with OAuth authentication might be interfering with that.
I just tried it here, and it didn't require any auth. maybe something was wrong with our setup at the time?
Interestingly this cannot be reproduced in any public Phorge:
https://we.phorge.it/status/ (latest stable)
https://gitpull.it/status/ (latest master)
https://phabricator.wikimedia.org/status/ (mix of things)
I also tried setting policy.allow-public = false in my local installation but without much success.
Any hint about how to reproduce this?