Return 403 instead of 401 when a user is known (#705)

* return 403 instead of 401 if user is known * return 403 for unverified users * updated docs
fastapi-users · Sep 4, 2021 · e59fb2c · e59fb2c
1 parent 7527902
commit e59fb2c
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 33 deletions.
diff --git a/docs/usage/dependency-callables.md b/docs/usage/dependency-callables.md
@@ -11,7 +11,7 @@ Return a dependency callable to retrieve currently authenticated user, passing t
 
 * `optional`: If `True`, `None` is returned if there is no authenticated user or if it doesn't pass the other requirements. Otherwise, throw `401 Unauthorized`. Defaults to `False`.
 * `active`: If `True`, throw `401 Unauthorized` if the authenticated user is inactive. Defaults to `False`.
-* `verified`: If `True`, throw `401 Unauthorized` if the authenticated user is not verified. Defaults to `False`.
+* `verified`: If `True`, throw `403 Forbidden` if the authenticated user is not verified. Defaults to `False`.
 * `superuser`: If `True`, throw `403 Forbidden` if the authenticated user is not a superuser. Defaults to `False`.
 
 ### Examples
@@ -88,7 +88,7 @@ def protected_route(user: User = Depends(fastapi_users.get_current_active_user))
 
 ### `get_current_verified_user`
 
-Get the current active and verified user. Will throw a `401 Unauthorized` if missing or wrong credentials or if the user is not active and verified.
+Get the current active and verified user. Will throw a `401 Unauthorized` if missing or wrong credentials or if the user is not active. Will throw a `403 Forbidden` if the user is unverified.
 
 ```py
 @app.get("/protected-route")

diff --git a/fastapi_users/authentication/__init__.py b/fastapi_users/authentication/__init__.py
@@ -183,12 +183,13 @@ async def _authenticate(
 
         status_code = status.HTTP_401_UNAUTHORIZED
         if user:
+            status_code = status.HTTP_403_FORBIDDEN
             if active and not user.is_active:
+                status_code = status.HTTP_401_UNAUTHORIZED
                 user = None
             elif verified and not user.is_verified:
                 user = None
             elif superuser and not user.is_superuser:
-                status_code = status.HTTP_403_FORBIDDEN
                 user = None
 
         if not user and not optional:

diff --git a/tests/test_fastapi_users.py b/tests/test_fastapi_users.py
@@ -191,7 +191,7 @@ async def test_valid_token_unverified_user(
             "/current-verified-user",
             headers={"Authorization": f"Bearer {user.id}"},
         )
-        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+        assert response.status_code == status.HTTP_403_FORBIDDEN
 
     async def test_valid_token_verified_user(
         self, test_app_client: httpx.AsyncClient, verified_user: UserDB
@@ -253,7 +253,7 @@ async def test_valid_token_regular_user(
             "/current-verified-superuser",
             headers={"Authorization": f"Bearer {user.id}"},
         )
-        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+        assert response.status_code == status.HTTP_403_FORBIDDEN
 
     async def test_valid_token_verified_user(
         self, test_app_client: httpx.AsyncClient, verified_user: UserDB
@@ -271,7 +271,7 @@ async def test_valid_token_superuser(
             "/current-verified-superuser",
             headers={"Authorization": f"Bearer {superuser.id}"},
         )
-        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+        assert response.status_code == status.HTTP_403_FORBIDDEN
 
     async def test_valid_token_verified_superuser(
         self, test_app_client: httpx.AsyncClient, verified_superuser: UserDB

diff --git a/tests/test_router_auth.py b/tests/test_router_auth.py
@@ -183,7 +183,7 @@ async def test_valid_credentials_unverified(
             path, headers={"Authorization": f"Bearer {user.id}"}
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
         else:
             assert response.status_code == status.HTTP_200_OK
 

diff --git a/tests/test_router_users.py b/tests/test_router_users.py
@@ -97,7 +97,7 @@ async def test_active_user(
             "/me", headers={"Authorization": f"Bearer {user.id}"}
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
         else:
             assert response.status_code == status.HTTP_200_OK
             data = cast(Dict[str, Any], response.json())
@@ -159,7 +159,7 @@ async def test_existing_email(
             headers={"Authorization": f"Bearer {user.id}"},
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
             assert after_update.called is False
         else:
             assert response.status_code == status.HTTP_400_BAD_REQUEST
@@ -181,7 +181,7 @@ async def test_invalid_password(
             headers={"Authorization": f"Bearer {user.id}"},
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
             assert after_update.called is False
         else:
             assert response.status_code == status.HTTP_400_BAD_REQUEST
@@ -204,7 +204,7 @@ async def test_empty_body(
             "/me", json={}, headers={"Authorization": f"Bearer {user.id}"}
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
             assert after_update.called is False
         else:
             assert response.status_code == status.HTTP_200_OK
@@ -232,7 +232,7 @@ async def test_valid_body(
             "/me", json=json, headers={"Authorization": f"Bearer {user.id}"}
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
             assert after_update.called is False
         else:
             assert response.status_code == status.HTTP_200_OK
@@ -260,7 +260,7 @@ async def test_valid_body_is_superuser(
             "/me", json=json, headers={"Authorization": f"Bearer {user.id}"}
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
             assert after_update.called is False
         else:
             assert response.status_code == status.HTTP_200_OK
@@ -288,7 +288,7 @@ async def test_valid_body_is_active(
             "/me", json=json, headers={"Authorization": f"Bearer {user.id}"}
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
             assert after_update.called is False
         else:
             assert response.status_code == status.HTTP_200_OK
@@ -316,7 +316,7 @@ async def test_valid_body_is_verified(
             "/me", json=json, headers={"Authorization": f"Bearer {user.id}"}
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
             assert after_update.called is False
         else:
             assert response.status_code == status.HTTP_200_OK
@@ -349,7 +349,7 @@ async def test_valid_body_password(
             "/me", json=json, headers={"Authorization": f"Bearer {user.id}"}
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
             assert after_update.called is False
         else:
             assert response.status_code == status.HTTP_200_OK
@@ -535,8 +535,6 @@ async def test_regular_user(
             headers={"Authorization": f"Bearer {user.id}"},
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
-        else:
             assert response.status_code == status.HTTP_403_FORBIDDEN
 
     async def test_verified_user(
@@ -562,7 +560,7 @@ async def test_not_existing_user_unverified_superuser(
             headers={"Authorization": f"Bearer {superuser.id}"},
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
         else:
             assert response.status_code == status.HTTP_404_NOT_FOUND
 
@@ -589,7 +587,7 @@ async def test_superuser(
             f"/{user.id}", headers={"Authorization": f"Bearer {superuser.id}"}
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
         else:
             assert response.status_code == status.HTTP_200_OK
 
@@ -633,8 +631,6 @@ async def test_regular_user(
             headers={"Authorization": f"Bearer {user.id}"},
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
-        else:
             assert response.status_code == status.HTTP_403_FORBIDDEN
 
     async def test_verified_user(
@@ -661,7 +657,7 @@ async def test_not_existing_user_unverified_superuser(
             headers={"Authorization": f"Bearer {superuser.id}"},
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
         else:
             assert response.status_code == status.HTTP_404_NOT_FOUND
 
@@ -689,7 +685,7 @@ async def test_empty_body_unverified_superuser(
             f"/{user.id}", json={}, headers={"Authorization": f"Bearer {superuser.id}"}
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
         else:
             assert response.status_code == status.HTTP_200_OK
 
@@ -727,7 +723,7 @@ async def test_valid_body_unverified_superuser(
             headers={"Authorization": f"Bearer {superuser.id}"},
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
         else:
             assert response.status_code == status.HTTP_200_OK
 
@@ -808,7 +804,7 @@ async def test_valid_body_is_superuser_unverified_superuser(
             headers={"Authorization": f"Bearer {superuser.id}"},
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
         else:
             assert response.status_code == status.HTTP_200_OK
 
@@ -847,7 +843,7 @@ async def test_valid_body_is_active_unverified_superuser(
             headers={"Authorization": f"Bearer {superuser.id}"},
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
         else:
             assert response.status_code == status.HTTP_200_OK
 
@@ -886,7 +882,7 @@ async def test_valid_body_is_verified_unverified_superuser(
             headers={"Authorization": f"Bearer {superuser.id}"},
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
         else:
             assert response.status_code == status.HTTP_200_OK
 
@@ -930,7 +926,7 @@ async def test_valid_body_password_unverified_superuser(
             headers={"Authorization": f"Bearer {superuser.id}"},
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
         else:
             assert response.status_code == status.HTTP_200_OK
             assert mock_user_db.update.called is True
@@ -982,8 +978,6 @@ async def test_regular_user(
             headers={"Authorization": f"Bearer {user.id}"},
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
-        else:
             assert response.status_code == status.HTTP_403_FORBIDDEN
 
     async def test_verified_user(
@@ -1009,7 +1003,7 @@ async def test_not_existing_user_unverified_superuser(
             headers={"Authorization": f"Bearer {superuser.id}"},
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
         else:
             assert response.status_code == status.HTTP_404_NOT_FOUND
 
@@ -1040,7 +1034,7 @@ async def test_unverified_superuser(
             f"/{user.id}", headers={"Authorization": f"Bearer {superuser.id}"}
         )
         if requires_verification:
-            assert response.status_code == status.HTTP_401_UNAUTHORIZED
+            assert response.status_code == status.HTTP_403_FORBIDDEN
         else:
             assert response.status_code == status.HTTP_204_NO_CONTENT
             assert response.content == b""