Closed djMax closed 7 years ago
It seems like the module returns 401 for any auth failure, even if the handler itself throws with a status of 403. Is that true? It makes it difficult to indicate "bad authentication" vs. "bad authorization" right?
I'm not following the code, but in practice it does seem to take the status I give it in the auth handler error, so I guess it's fine.
It seems like the module returns 401 for any auth failure, even if the handler itself throws with a status of 403. Is that true? It makes it difficult to indicate "bad authentication" vs. "bad authorization" right?