The authenticate() decorator raises a 401 exception when the authorization predicate returns False. This violates the HTTP specification, which says:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.
Therefore the 401 code should only be used for purposes of HTTP authentication, not authorization of any kind. The correct response code to send is 403 (Forbidden).
The authenticate() decorator raises a 401 exception when the authorization predicate returns
False. This violates the HTTP specification, which says:Therefore the 401 code should only be used for purposes of HTTP authentication, not authorization of any kind. The correct response code to send is 403 (Forbidden).