Wrong HTTP status when bearer token is expired

[barredterra]

How to reproduce

• get a new oAuth2 access token (https://support.erpnext.com/docs/user/en/guides/integration/rest_api/oauth2)
• wait for one hour (3600 seconds)
• try to access a protected resource GET /api/method/frappe.auth.get_logged_user

Error

Frappe responds with HTTP 403 Forbidden and the following data:

{
        "exc": [
            "Traceback (most recent call last):",
            "File 'home/frappe/frappe-bench/apps/frappe/frappe/app.py', line 66",
            "in application response = frappe.api.handle()",
            "File 'home/frappe/frappe-bench/apps/frappe/frappe/api.py', line 56",
            "in handle return frappe.handler.handle()",
            "File 'home/frappe/frappe-bench/apps/frappe/frappe/handler.py', line 21",
            "in handle data = execute_cmd(cmd)",
            "File '/home/frappe/frappe-bench/apps/frappe/frappe/handler.py', line 54",
            "in execute_cmd is_whitelisted(method)",
            "File '/home/frappe/frappe-bench/apps/frappe/frappe/handler.py', line 64",
            "in is_whitelisted raise frappe.PermissionError('Not Allowed, {0}'.format(method))",
            "PermissionError: Not Allowed, <function get_logged_user at 0x7f9c027a9c08>"
        ],
        "_server_messages": [
            {
                "message": "Not permitted"
            }
        ]
}

403 means that a new authentication would not make any difference, access would still be denied. However, this is not the case here.

Correct behavior

Frappe should respond with HTTP 401 Unauthorized because the token is only expired, but it is still possible to refresh it.

[indrawow-archive]

Same here, should with 401