Return 403 instead of 401 when a user is known

[daanbeverdam]

Hi @frankie567,

I would like to propose to return a 403 whenever a user is known but doesn't have enough privileges to access a resource and return a 401 if a user could not be authenticated at all (wrong or no credentials provided). This follows the conventions outlined in rfc7235 and lets fastapi-users play nicely with frontend frameworks such as vue-auth which will log you out on receiving a 401.

Let me know if you agree, so I can also update the tests.

[frankie567]

Hi @daanbeverdam!

Thank you for your proposal!

Actually, I did this on purpose. In my opinion an inactive user should be considered the same as a non-existing user: it shouldn't be allowed to login and existing sessions should expire. This is the behavior adopted by default in Django.

However, concerning the not verified, well, I'm unsure 😅

[daanbeverdam]

Ah I see, that makes sense. Then I would propose to return a 401 for inactive users then, and a 403 for the unverified. Because you know who the unverified user is and in many cases want to give them access to parts of the application where verification is not necessary. But if they stumble on a forbidden route we don't want them to logout completely (which is standard behaviour on receiving a 401).

[frankie567]

Yes, I think you convinced me there :) Would you mind making the necessary changes and update the tests and documentation?

Cheers!

[daanbeverdam]

Thanks @frankie567! I've updated the logic, tests and documentation. Awaiting your feedback.

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@848315b). Click here to learn what that means.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             master      #705   +/-   ##
==========================================
  Coverage          ?   100.00%           
==========================================
  Files             ?        20           
  Lines             ?       707           
  Branches          ?         0           
==========================================
  Hits              ?       707           
  Misses            ?         0           
  Partials          ?         0           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 848315b...63994e4. Read the comment docs.

[frankie567]

Perfect! Thank you 🙏

[frankie567]

@all-contributors add @daanbeverdam for code

[allcontributors]

@frankie567

This project's configuration file has malformed JSON: .all-contributorsrc. Error:: Unexpected token
in JSON at position 8303

[frankie567]

@all-contributors add @daanbeverdam for code

[allcontributors]

@frankie567

I've put up a pull request to add @daanbeverdam! 🎉