Fix HTTP auth status codes: return 401 instead of 403 for authentication failures

[devin-ai-integration]

Fix HTTP auth status codes: return 401 instead of 403 for authentication failures

Summary

This PR fixes incorrect HTTP status codes in the FastAPI security authentication classes. Previously, HTTPBase, HTTPBearer, and HTTPDigest were returning 403 Forbidden for missing or malformed authorization headers, but according to HTTP standards, 401 Unauthorized should be used for authentication failures (missing/invalid credentials) while 403 Forbidden should be reserved for authorization failures (valid credentials but insufficient permissions).

Key Changes:

• Updated HTTPBase.__call__() to return 401 instead of 403 for missing authorization
• Updated HTTPBearer.__call__() to return 401 instead of 403 for missing/invalid bearer tokens
• Updated HTTPDigest.__call__() to return 401 instead of 403 for missing/invalid digest auth
• Updated corresponding test assertions to expect 401 status codes
• Makes all HTTP auth classes consistent with HTTPBasic which already correctly used 401

Review & Testing Checklist for Human

• Run full test suite - Verify no other tests are broken by this status code change
• Test actual HTTP requests - Make requests without auth headers to confirm 401 responses
• Check for breaking change implications - Consider if existing client code relies on 403 status codes
• Verify API documentation consistency - Ensure docs don't reference the old 403 behavior
• Test edge cases - Verify malformed headers, wrong schemes, etc. all return 401

---

Diagram

graph TD
    subgraph "fastapi/security/"
        A[http.py]:::major-edit
        B[HTTPBase.__call__]:::major-edit
        C[HTTPBearer.__call__]:::major-edit  
        D[HTTPDigest.__call__]:::major-edit
        E[HTTPBasic.__call__]:::context
    end
    
    subgraph "tests/"
        F[test_security_http_base_description.py]:::minor-edit
        G[test_security_http_bearer.py]:::minor-edit
        H[test_security_http_digest.py]:::minor-edit
    end
    
    A --> B
    A --> C 
    A --> D
    A --> E
    
    B --> F
    C --> G
    D --> H
    
    subgraph Legend
        L1[Major Edit]:::major-edit
        L2[Minor Edit]:::minor-edit
        L3[Context/No Edit]:::context
    end
    
    classDef major-edit fill:#90EE90
    classDef minor-edit fill:#87CEEB  
    classDef context fill:#FFFFFF

Loading

Notes

• HTTP Standards Compliance: This change aligns with RFC 7235 which specifies 401 for authentication challenges and 403 for authorization denials
• Consistency: HTTPBasic already used 401 correctly, this makes the other HTTP auth classes consistent
• Potential Breaking Change: Applications expecting 403 status codes will now receive 401 - consider semantic versioning implications
• Error Messages Unchanged: Only status codes changed, error detail messages remain the same ("Not authenticated", "Invalid authentication credentials")

Link to Devin run: https://app.devin.ai/sessions/dbd89234593447b88a819c77c57825b7

Requested by: @the-coding-gopher

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring