Return 403 instead of 401 when required permissions are missing (#9)

mduesterhoeft · web-flow · commit d7d2d77eb789 · 2019-04-30T10:40:19.000+02:00
diff --git a/router/src/main/kotlin/io/moia/router/RequestHandler.kt b/router/src/main/kotlin/io/moia/router/RequestHandler.kt
@@ -33,7 +33,7 @@ abstract class RequestHandler : RequestHandler<APIGatewayProxyRequestEvent, APIG
                 val matchedAcceptType = routerFunction.requestPredicate.matchedAcceptType(input.acceptedMediaTypes())
                     ?: MediaType.parse(router.defaultContentType)
                 if (!permissionHandlerSupplier()(input).hasAnyRequiredPermission(routerFunction.requestPredicate.requiredPermissions))
-                    return createApiExceptionErrorResponse(matchedAcceptType, input, ApiException("unauthorized", "UNAUTHORIZED", 401))
+                    return createApiExceptionErrorResponse(matchedAcceptType, input, ApiException("missing permissions", "MISSING_PERMISSIONS", 403))
 
                 val handler: HandlerFunction<Any, Any> = routerFunction.handler
                 return try {
diff --git a/router/src/test/kotlin/io/moia/router/RequestHandlerTest.kt b/router/src/test/kotlin/io/moia/router/RequestHandlerTest.kt
@@ -244,7 +244,7 @@ class RequestHandlerTest {
                 )), mockk()
         )
 
-        assert(response.statusCode).isEqualTo(401)
+        assert(response.statusCode).isEqualTo(403)
     }
 
     @Test

Original file line number	Diff line number	Diff line change
`@@ -244,7 +244,7 @@ class RequestHandlerTest {`
`244`	`244`	`)), mockk()`
`245`	`245`	`)`
`246`	`246`
`247`		`- assert(response.statusCode).isEqualTo(401)`
	`247`	`+ assert(response.statusCode).isEqualTo(403)`
`248`	`248`	`}`
`249`	`249`
`250`	`250`	`@Test`