Fixing some confusion between 401 vs 403 error code. 401 indicates that the user should attempt to authenticate again. Where as 403 indicates the user is authenticated but not allowed to complete an action. (#804)

Closes #767
This commit is contained in:
kevgliss 2017-05-18 13:20:17 -07:00 committed by GitHub
parent 7ad471a810
commit 307a73c752
3 changed files with 6 additions and 6 deletions

View File

@ -164,17 +164,17 @@ class Ping(Resource):
algo = header_data['alg']
break
else:
return dict(message='Key not found'), 403
return dict(message='Key not found'), 401
# validate your token based on the key it was signed with
try:
jwt.decode(id_token, secret.decode('utf-8'), algorithms=[algo], audience=args['clientId'])
except jwt.DecodeError:
return dict(message='Token is invalid'), 403
return dict(message='Token is invalid'), 401
except jwt.ExpiredSignatureError:
return dict(message='Token has expired'), 403
return dict(message='Token has expired'), 401
except jwt.InvalidTokenError:
return dict(message='Token is invalid'), 403
return dict(message='Token is invalid'), 401
user_params = dict(access_token=access_token, schema='profile')

View File

@ -271,7 +271,7 @@ class CertificatesList(AuthenticatedResource):
data['creator'] = g.user
return service.create(**data)
return dict(message="You are not authorized to use {0}".format(data['authority'].name)), 403
return dict(message="You are not authorized to use the authority: {0}".format(data['authority'].name)), 403
class CertificatesUpload(AuthenticatedResource):

View File

@ -106,7 +106,7 @@
// handle situation where our token has become invalid.
RestangularConfigurer.setErrorInterceptor(function (response) {
if (response.status === 403) {
if (response.status === 401) {
$auth.logout();
$location.path('/login');
return false;