Closed waweber closed 1 year ago
@waweber again, very good feedback. You are right (I was considering this in the past, too, when I came across a conversation on this subject on StackOverflow). I will wrap my mind around this and prioritize to improve the feature.
Fixed at 1.2.17.
This is a bit of a nitpick, but some clients might take different actions depending on what 40X code was returned due to an authorization failure.
Try the example included in the docs:
If you attempt to access this endpoint as a logged in but non-admin user, the request fails with
401 Unauthorized
when it perhaps should have returned a403 Forbidden
.Documentation for 401 Unauthorized says:
In other words,
401 Unauthorized
is returned when a client hasn't provided valid credentials (no or invalid auth token, not logged in, etc.). If a client receives this error code, it might show a login prompt (as with HTTP Basic auth) or redirect the user to a login page.Documentation for 403 Forbidden says:
Meaning the user has provided valid credentials, but they aren't permitted to access the resource. A client might show an error message, but wouldn't prompt the user to log in.
The
AuthorizationStrategy
always seems to return a401 Unauthorized
error when it fails. It could be improved by providing a way to specify the manner in which the authorization failed, whether it be from missing credentials vs insufficient permissions.This would allow a client to know the difference between having no permissions (403) vs the login being invalid or the session being expired (401) so it can take some action to re-authenticate.
Some users might want to even override the status code returned for either case: for some endpoints, if a user has insufficient permissions, they might want to return a
404 Not Found
to deny the existence of the resource instead of revealing that a resource exists, but a user is not allowed to access it.I am currently working around this by raising
Forbidden
in myRequirement
class, but this short-circuits the processing of the rest of the policy.