Closed joelbutcher closed 1 year ago
Instead of configurable option I would feel it might be better to throw custom exception and then you can customise how it render via your application Exception Handler.
@crynobone a custom exception would work
I think now we would throw a 500 error?
It is common in applications that restrict access to another users' resource to return a 404 to indicate that resource does not exist. I would like to give developers to option to apply this functionality to Horizon to hide it's presence within an application from unauthenticated users.
This PR allows developers to define what status code should be returned when Horizon's authentication fails, via a new
horizon.unauthorized_status
config option (happy for this to be renamed, if anyone has any other suggestions).I've restricted the accepted status codes to 403 and 404, falling back to 403 if this is not the case.