From 307a73c75282d7281ff136c2e6ad5b74d271c205 Mon Sep 17 00:00:00 2001
From: kevgliss <kevgliss@gmail.com>
Date: Thu, 18 May 2017 13:20:17 -0700
Subject: [PATCH] Fixing some confusion between 401 vs 403 error code. 401
 indicates that the user should attempt to authenticate again. Where as 403
 indicates the user is authenticated but not allowed to complete an action.
 (#804)

Closes #767
---
 lemur/auth/views.py             | 8 ++++----
 lemur/certificates/views.py     | 2 +-
 lemur/static/app/angular/app.js | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lemur/auth/views.py b/lemur/auth/views.py
index 8851d518..35a0aa43 100644
--- a/lemur/auth/views.py
+++ b/lemur/auth/views.py
@@ -164,17 +164,17 @@ class Ping(Resource):
                 algo = header_data['alg']
                 break
         else:
-            return dict(message='Key not found'), 403
+            return dict(message='Key not found'), 401
 
         # validate your token based on the key it was signed with
         try:
             jwt.decode(id_token, secret.decode('utf-8'), algorithms=[algo], audience=args['clientId'])
         except jwt.DecodeError:
-            return dict(message='Token is invalid'), 403
+            return dict(message='Token is invalid'), 401
         except jwt.ExpiredSignatureError:
-            return dict(message='Token has expired'), 403
+            return dict(message='Token has expired'), 401
         except jwt.InvalidTokenError:
-            return dict(message='Token is invalid'), 403
+            return dict(message='Token is invalid'), 401
 
         user_params = dict(access_token=access_token, schema='profile')
 
diff --git a/lemur/certificates/views.py b/lemur/certificates/views.py
index 16236021..ae491aa3 100644
--- a/lemur/certificates/views.py
+++ b/lemur/certificates/views.py
@@ -271,7 +271,7 @@ class CertificatesList(AuthenticatedResource):
             data['creator'] = g.user
             return service.create(**data)
 
-        return dict(message="You are not authorized to use {0}".format(data['authority'].name)), 403
+        return dict(message="You are not authorized to use the authority: {0}".format(data['authority'].name)), 403
 
 
 class CertificatesUpload(AuthenticatedResource):
diff --git a/lemur/static/app/angular/app.js b/lemur/static/app/angular/app.js
index e162516f..3de47b73 100644
--- a/lemur/static/app/angular/app.js
+++ b/lemur/static/app/angular/app.js
@@ -106,7 +106,7 @@
 
       // handle situation where our token has become invalid.
       RestangularConfigurer.setErrorInterceptor(function (response) {
-        if (response.status === 403) {
+        if (response.status === 401) {
           $auth.logout();
           $location.path('/login');
           return false;