Rework

[lburgey]

The rework is done.

Last thing i changed is, that i integratet github actions to run tests and linting on all code.

This is intended to be tagged v1.0.0 after merge.

[dianagudu]

Is there any documentation on what status codes are expected in different cases? Based on my testing (maybe not comprehensive list):

401:

• invalid token
• valid jwt but OP not supported

403:

• no token provided (either no authorisation headers or no bearer token in authorisation headers)
• requirements not satisfied
• no sub requirements

In the first item of 403, I wonder if this should be 401?

My understanding of the http codes:

• 401: Unauthorized is the status code to return when the client provides no credentials or invalid credentials.
• 403: Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on a resource.

In any case, it would be nice to document this.

[marcvs]

While you're right (no token provided is 401, not 403), I can't reproduce this. E.g. using example_aio, I get 401 with both of these lines:

http localhost:8080/authenticated
http localhost:8080/authenticated "Authorization: Bearer"

[dianagudu]

You are right, with example_aio the returned codes are fine, but not with example_fastapi.

BTW, the examples for fastapi and flask seem to be outdated, they use e.g. "HasGroup" and "ValidLogin".

[marcvs]

Yes, fastapi and flask examples are left as an exercise to the ... me... Do you experience the bug only with the (broken) example? If not, open a bug.