Open JeSuisAlrick opened 8 years ago
Having the same problem when using zf-mvc-auth in Apigility: There instead of the DefaultAuthorizationPostListener the problem is within the ZF\Apigility\MvcAuth\UnauthorizedListener which doesn't check if a user is authenticated or not e.g. by doing something simple like:
$status = 403;
if ($mvcAuthEvent->getIdentity() instanceof \ZF\MvcAuth\Identity\GuestIdentity) {
$status = 401;
}
$response = new ApiProblemResponse(new ApiProblem($status, 'Forbidden'));
The DefaultAuthorizationPostListener wasn't even called in my debugging cases as the UnauthorizedListener is called before and already returns a response which cancels the EVENT_AUTHORIZATION_POST. But in cases without Apigility the DefaultAuthorizationPostListener could probably do something similar.
I guess I'll add my own listener with higher priority or replace the UnauthorizedListener as there are multiple other issues and closed pull requests with the same unresolved problem. (#97, #106, #107, #127)
This repository has been closed and moved to laminas-api-tools/api-tools-mvc-auth; a new issue has been opened at https://github.com/laminas-api-tools/api-tools-mvc-auth/issues/8.
It seems the DefaultAuthorizationPostListener is changing the status to 403 even when an authentication challenge response with a 401 status code is set.
The following piece of code probably needs to be added: