brycekahle
commented
6 years ago We try to follow the OAuth spec. What does it say for this situation?
Closed rybit closed 3 years ago
brycekahle
commented
6 years ago We try to follow the OAuth spec. What does it say for this situation?
guido4000
commented
4 years ago @brycekahle
We try to follow the OAuth spec. What does it say for this situation?
The OAuth spec does not seem to cover HTTP responses. The HTTP spec defines 400 is Bad Request and 403 is Forbidden https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
So 403 should fit better.
github-actions[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had activity in 1 year. It will be closed in 7 days if no further activity occurs. Thanks!
github-actions[bot]
commented
3 years ago This issue was closed because it had no activity for over 1 year.
When we fail to login (e.g. no such user) we return a 400. The code will return an OAuth error appropriately, and then we map that to a 400. It should be a 403 in this case. I'm not sure that all of them are that way, but at least this instance.
https://github.com/netlify/gotrue/blob/6dae5c5494efa908bd3d549757ab23115a770eed/api/errors.go#L172