Closed mimetnet closed 8 years ago
Response code 403
is the correct response code, because it is deciding only about authorization and not about authentication. My terrible mistake :)
I will make it a configurable parameter for the deny
and undetermined
cases, with the current default 401
to avoid breaking changes. I will still assign this issue for a future major release, where 403
should become the default.
Version 2.0.1
released. Update your dependencies and check here how to use it.
Thank you very much @franciscogouveia. This is great!
It would be great if the "onPostAuth" handler could support returning 403 (Forbidden). This would help API client's distinguish between Authentication and Authorization Failures.
This could be a config option to either hard-code the result for RbacCore.DENY, or allow a function to specify.
I would be more than happy to make the change if you are willing to accept a patch.
Please let me know.