Failed RequiresSecurityClaims should result in a Forbidden(403) instead of an Unauthorized(401)

[bronumski]

I am using the MSOwinSecurityExtensions to handle authentication done in the Owin middleware which is working fine for just checking that someone is authenticated. An unauthenticated request gets the correct 401. However now I need to secure certain modules with claims / roles and whilst the RequiresSecurityClaims denies access if the authenticated user does not match the specified claim rule it results in a 401 instead of a 403.

This is different behavior to how the RequiresClaims extension method works

public static void RequiresClaims(this INancyModule module, params Predicate<Claim>[] requiredClaims)
{
    module.AddBeforeHookOrExecute(SecurityHooks.RequiresAuthentication(), "Requires Authentication");
    module.AddBeforeHookOrExecute(SecurityHooks.RequiresClaims(requiredClaims), "Requires Claims");
}

public static Func<NancyContext, Response> RequiresClaims(params Predicate<Claim>[] claims)
{
    return ForbiddenIfNot(ctx => ctx.CurrentUser.HasClaims(claims));
}

https://github.com/NancyFx/Nancy/blob/feb8a122d8173eafde87bbd650faa2b04429131a/src/Nancy/Security/ModuleSecurity.cs https://github.com/NancyFx/Nancy/blob/feb8a122d8173eafde87bbd650faa2b04429131a/src/Nancy/Security/SecurityHooks.cs

[gregfiske]

Any chance the NuGet package could be updated to include #10 ?