Return 401 for unauthenticated requests in middleware, not 403

someone1 · someone1 · commit f42d40a3ff38 · 2019-05-21T08:17:46.000-04:00
diff --git a/README.md b/README.md
@@ -10,6 +10,7 @@ Google Cloud KMS [now supports signatures](https://cloud.google.com/kms/docs/cre
 
 - Dropping support for AppEngine Go 1.9 environment (last version with AppEngine App Identity support will be for Go 1.11)
 - KMSConfig no longer takes an optional HTTP Client, but rather the kms gRPC based client
+- Middleware will now return a 401 response for unauthenticated requests (previously was returning a 403 response)
 
 ## Breaking Changes with v2
 
diff --git a/jwtmiddleware/helpers_test.go b/jwtmiddleware/helpers_test.go
@@ -137,7 +137,7 @@ func TestHelpers(t *testing.T) {
 				"MissingToken",
 				audience,
 				nil,
-				http.StatusForbidden,
+				http.StatusUnauthorized,
 			},
 			{
 				"InvalidAudienceToken",
diff --git a/jwtmiddleware/middleware.go b/jwtmiddleware/middleware.go
@@ -29,7 +29,7 @@ func NewHandler(ctx context.Context, config *gcpjwt.IAMConfig, audience string)
 
 			token, err := request.ParseFromRequest(r, request.AuthorizationHeaderExtractor, keyFunc, request.WithClaims(claims))
 			if err != nil || !token.Valid {
-				http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+				http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
 				return
 			}
 

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func NewHandler(ctx context.Context, config *gcpjwt.IAMConfig, audience string)`
`29`	`29`
`30`	`30`	`token, err := request.ParseFromRequest(r, request.AuthorizationHeaderExtractor, keyFunc, request.WithClaims(claims))`
`31`	`31`	`if err != nil \|\| !token.Valid {`
`32`		`- http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)`
	`32`	`+ http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)`
`33`	`33`	`return`
`34`	`34`	`}`
`35`	`35`