Incorrect 401 vs 403 error codes #9347
Comments
|
hey @FelixMalfait i want work on this issue?? |
|
Hey @yadavshubham01 sure thank you! Some of your previous contributions were done a bit quickly so make sure to think this one through. What would be great would be to have a good/clear PR description where you explain if you had any doubts during implementation, record a short video that show the new code and that it doesn't break frontend, etc. Thanks |
|
hey @FelixMalfait i think we get 403 for Unauthorized and 401 for AuthExceptionCode.FORBIDDEN_EXCEPTION because this |
|
hey @FelixMalfait i just opened pull request you can review it #9370 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
401 Unauthorized should be used when the user isn't authenticated (i.e. login/pwd refused, no jwt, expired jwt, or wrong jwt...)
403 Forbidden should be used when the user is properly identified but doesn't have access to the resource
Today we send 403 for unauthenticated errors and other where we should send a 401 instead ; And for AuthExceptionCode.FORBIDDEN_EXCEPTION we send a 403...
See also:
https://stackoverflow.com/questions/45153773/correct-http-code-for-authentication-token-expiry-401-or-403
The fix should mostly be done in these files:
But we should check the impact on the frontend application (token renewal, etc.), for example here:
The text was updated successfully, but these errors were encountered: