Closed stefanv closed 2 years ago
@acrellin I'd appreciate it if you could help me think this through a bit more. I've been looking at why 400's were being propagated before. Token checking should raise a 401, both in the case where the token is invalid or expired (this is in access.py
). AccessError, after successful authentication, should then use 403 (Forbidden).
So, why did the invalid token get to the place where 400s were being issued? That should not happen?
@stefanv Could it be because there was no token header provided? If so, I just patched that here: https://github.com/cesium-ml/baselayer/pull/254
This happened when I used an invalid token (I modified the data_loader to use token + "f"
).
Currently we return HTTP 400 (Bad Request), which does not match an authorization failure.