Return 401 for unauthenticated requests in middleware, not 403

someone1 · May 21, 2019 · f42d40a · f42d40a
1 parent 09a1f54
commit f42d40a
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -10,6 +10,7 @@ Google Cloud KMS [now supports signatures](https://cloud.google.com/kms/docs/cre
 
 - Dropping support for AppEngine Go 1.9 environment (last version with AppEngine App Identity support will be for Go 1.11)
 - KMSConfig no longer takes an optional HTTP Client, but rather the kms gRPC based client
+- Middleware will now return a 401 response for unauthenticated requests (previously was returning a 403 response)
 
 ## Breaking Changes with v2
 

diff --git a/jwtmiddleware/helpers_test.go b/jwtmiddleware/helpers_test.go
@@ -137,7 +137,7 @@ func TestHelpers(t *testing.T) {
 				"MissingToken",
 				audience,
 				nil,
-				http.StatusForbidden,
+				http.StatusUnauthorized,
 			},
 			{
 				"InvalidAudienceToken",

diff --git a/jwtmiddleware/middleware.go b/jwtmiddleware/middleware.go
@@ -29,7 +29,7 @@ func NewHandler(ctx context.Context, config *gcpjwt.IAMConfig, audience string)
 
 			token, err := request.ParseFromRequest(r, request.AuthorizationHeaderExtractor, keyFunc, request.WithClaims(claims))
 			if err != nil || !token.Valid {
-				http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+				http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
 				return
 			}