Wrong HTTP status code for authentication challenge

[JeSuisAlrick]

It seems the DefaultAuthorizationPostListener is changing the status to 403 even when an authentication challenge response with a 401 status code is set.

The following piece of code probably needs to be added:

    if ($response instanceof HttpResponse && 
            $response->getStatusCode() == 401) {
        return;
    }

[j-schumann]

Having the same problem when using zf-mvc-auth in Apigility: There instead of the DefaultAuthorizationPostListener the problem is within the ZF\Apigility\MvcAuth\UnauthorizedListener which doesn't check if a user is authenticated or not e.g. by doing something simple like:

        $status = 403;
        if ($mvcAuthEvent->getIdentity() instanceof \ZF\MvcAuth\Identity\GuestIdentity) {
            $status = 401;
        }
        $response = new ApiProblemResponse(new ApiProblem($status, 'Forbidden'));

The DefaultAuthorizationPostListener wasn't even called in my debugging cases as the UnauthorizedListener is called before and already returns a response which cancels the EVENT_AUTHORIZATION_POST. But in cases without Apigility the DefaultAuthorizationPostListener could probably do something similar.

I guess I'll add my own listener with higher priority or replace the UnauthorizedListener as there are multiple other issues and closed pull requests with the same unresolved problem. (#97, #106, #107, #127)

[weierophinney]

This repository has been closed and moved to laminas-api-tools/api-tools-mvc-auth; a new issue has been opened at https://github.com/laminas-api-tools/api-tools-mvc-auth/issues/8.