Return HTTP 401 (Unauthorized) if token authentication fails

cesium-ml / baselayer

Fully customizable (scientific, compute-intensive) web application template

http://cesium-ml.org/baselayer/

30 stars 18 forks source link

Return HTTP 401 (Unauthorized) if token authentication fails #253

Closed stefanv closed 2 years ago

stefanv commented 2 years ago

Currently we return HTTP 400 (Bad Request), which does not match an authorization failure.

stefanv commented 2 years ago

@acrellin I'd appreciate it if you could help me think this through a bit more. I've been looking at why 400's were being propagated before. Token checking should raise a 401, both in the case where the token is invalid or expired (this is in access.py). AccessError, after successful authentication, should then use 403 (Forbidden).

So, why did the invalid token get to the place where 400s were being issued? That should not happen?

acrellin commented 2 years ago

@stefanv Could it be because there was no token header provided? If so, I just patched that here: https://github.com/cesium-ml/baselayer/pull/254

stefanv commented 2 years ago

This happened when I used an invalid token (I modified the data_loader to use token + "f").