New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Return 403 instead of 401 when a user is known #705
Conversation
Hi @daanbeverdam! Thank you for your proposal! Actually, I did this on purpose. In my opinion an inactive user should be considered the same as a non-existing user: it shouldn't be allowed to login and existing sessions should expire. This is the behavior adopted by default in Django. However, concerning the not verified, well, I'm unsure 😅 |
Ah I see, that makes sense. Then I would propose to return a 401 for inactive users then, and a 403 for the unverified. Because you know who the unverified user is and in many cases want to give them access to parts of the application where verification is not necessary. But if they stumble on a forbidden route we don't want them to logout completely (which is standard behaviour on receiving a 401). |
Yes, I think you convinced me there :) Would you mind making the necessary changes and update the tests and documentation? Cheers! |
Thanks @frankie567! I've updated the logic, tests and documentation. Awaiting your feedback. |
Codecov Report
@@ Coverage Diff @@
## master #705 +/- ##
==========================================
Coverage ? 100.00%
==========================================
Files ? 20
Lines ? 707
Branches ? 0
==========================================
Hits ? 707
Misses ? 0
Partials ? 0 Continue to review full report at Codecov.
|
Perfect! Thank you 🙏 |
@all-contributors add @daanbeverdam for code |
This project's configuration file has malformed JSON: .all-contributorsrc. Error:: Unexpected token |
@all-contributors add @daanbeverdam for code |
I've put up a pull request to add @daanbeverdam! 🎉 |
Hi @frankie567,
I would like to propose to return a 403 whenever a user is known but doesn't have enough privileges to access a resource and return a 401 if a user could not be authenticated at all (wrong or no credentials provided). This follows the conventions outlined in rfc7235 and lets
fastapi-users
play nicely with frontend frameworks such as vue-auth which will log you out on receiving a 401.Let me know if you agree, so I can also update the tests.