How to change status code to 401 (unauthorized)?

[knbknb]

Indeed I 'd like to change the status code returned from 404 to 401/403, and even redirect the user a login form immediately. On that form I'd like to also display clear instructions how to proceed (Where the logout button is, where to get credentials, who to contact if login does not work. some alternative links.... ). All these explanations are different from what I'd like to display in the 404 page which in my case is pretty generic. Users have learned to ignore the 404 page, or expect to be entertained. Many websites display a funny cartoon (such as a failwhale, as Twitter does it, or something like that).

You (Causal Developers) have mentioned in the documentation the option of returning Status-Codes 401 or 403 as an idea for the future. However I am trying to patch the "fal_protect" source code myself, but I haven't found an obvious way to implement this. Do I have to set a flexform value, a typoscript snippet, some default value in a PHP File; or even learn a lot about middleware processing first?

A little pointer on how developers can do this would be nice (in the fal_protect documentation). Or a warnng that this is more difficult than expected.

[knbknb]

I have now found a way to change the 404 response to a 403 response ("Access denied")

by changing file EXT:fal_protect/Classes/Middleware/FileMiddleware.php .

I've patched 1 line in class FileMiddleware; this method >pageNotFoundAction() :

Before:

protected function pageNotFoundAction(ServerRequestInterface $request, string $message = 'Not Found'): void    {
  $response = GeneralUtility::makeInstance(ErrorController::class)->pageNotFoundAction($request, $message);        
  throw new ImmediateResponseException($response, 1604918043);
}

After:

protected function pageNotFoundAction(ServerRequestInterface $request, string $message = 'Not Found'): void    { 
  $response = GeneralUtility::makeInstance(ErrorController::class)->accessDeniedAction($request, $message);        
  throw new ImmediateResponseException($response, 1604918043);
}

Seems to work for me, maybe this is too simplistic?

[xperseguers]

No, this is exactly the idea :) you should just rename pageNotFoundAction from that extension into something like accessDeniedAction so that it sticks to some semantic naming but that's indeed the idea.

Ideally, this should be made configurable and the documentation should be updated with an example configuration on how to redirect to the login page in case of access denied. Just throwing a 403 instead of a 404 is not good enough for me since it proves the document exists, which is not the case with a 404.

The 403 is however perfectly fine in case you know what you do and indeed implements a redirect to the login page.

[xperseguers]

and in fact, throwing a 403 is only correct in case you are authenticated but still cannot access the resource, otherwise the proper error code is 401 (and should then redirect to the login page).

[knbknb]

Thanks! I have used the accessDeniedAction() because it was already implemented in the class ErrorController.
An "unauthorizedAction()" was not available, perhaps the attempted file-access is not yet an Error. Looking at the code of ErrorController I think TYPO3 wants developers to go to the "Site" module and define a custom handler/page for the 401 case there. However I do not remember how to do that, and do not have the time to test that. So my one-word/oneliner fix is fine for me, for now.
I know that it's a quick and dirty solution.
You can reopen the ticket if you wish, I don't mind. Just wanted to let you know that there are users around who prefer the 401/403 case (e.g. when the protected resources are not really state secrets)