Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[_]: feat/return 403 instead of 401 when account is blocked #421

Merged
merged 1 commit into from
Jan 19, 2024
Merged

[_]: feat/return 403 instead of 401 when account is blocked #421

merged 1 commit into from
Jan 19, 2024

Conversation

apsantiso
Copy link
Collaborator

@apsantiso apsantiso commented Jan 19, 2024
edited
Loading

Consumer apps are not able to differentiate between wrong credentials and blocked account by just the http code.
In this PR we change the returned http code so they can take the necessary steps if an account is blocked.

According to RFC, we could also return 404, however, we are already including a message saying the user is blocked, so we have no reason to hide anything.

The 403 (Forbidden) status code indicates that the server understood
the request but refuses to authorize it. A server that wishes to
make public why the request has been forbidden can describe that
reason in the response payload (if any).

If authentication credentials were provided in the request, the
server considers them insufficient to grant access. The client
SHOULD NOT automatically repeat the request with the same
credentials. The client MAY repeat the request with new or different
credentials. However, a request might be forbidden for reasons
unrelated to the credentials.

An origin server that wishes to "hide" the current existence of a
forbidden target resource MAY instead respond with a status code of
404 (Not Found).

@apsantiso apsantiso added the enhancement New feature or request label Jan 19, 2024
@apsantiso apsantiso requested a review from sg-gs January 19, 2024 14:42
@apsantiso apsantiso self-assigned this Jan 19, 2024
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sg-gs sg-gs merged commit 72c8076 into master Jan 19, 2024
6 of 10 checks passed
@sg-gs sg-gs deleted the feat/return-403-when-account-is-blocked branch January 19, 2024 15:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sg-gs sg-gs sg-gs approved these changes

Assignees

@apsantiso apsantiso

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@apsantiso @sg-gs