Authorize Middleware returns 403 instead of 401 for unauthenticated users.

[jeovajr]

SDK Version

7.0

PHP Version

PHP 8.1

Composer Version

2.x

What happened?

Auth0\Laravel\Http\Middleware\Stateless\Authorize Middleware returns 403 'Unauthorized' for unauthenticated users.

I can see how 403 should be returned when there's a defined scope and the user does not have authorization on that scope. But, when there is no authenticated user, the middleware sill returns 403, when it's usually expected to be 401.

Also, I'd expect 403 message to be 'Forbidden' instead of 'Unauthorized'.

401 => 'Unauthorized' => For unauthenticated user
403 => 'Forbidden' => For authenticated user with forbidden access to a specific scope.

How can we reproduce this issue?

Make a request to a route protected by auth0.authorize middleware without a valid token.
Response status code should be 401, but it will be 403.

Additional context

No response

[evansims]

Hey, @jeovajr 👋 Thanks for reporting this! Give me a bit to investigate this, but I think I agree with your conclusion there, that 403 makes more sense in that case.

[evansims]

Hey again @jeovajr 👋 The SDK will be updated to reflect your suggestion in the forthcoming 7.2.0 release.

laravel-auth0/src/Http/Middleware/Stateless/Authorize.php

Line 42 in 72465fa

abort(401, 'Unauthorized');

Thanks for your feedback and contribution!

[jeovajr]

@evansims thank you very much for this! I also noted that now we have native support for Laravel Cache APIs. That's also great. Thanks for that as well.