Skip to content

override unauthorized 400 to 401 #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
prashantpandeygit wants to merge 5 commits into
base: main
Choose a base branch
from
Open

override unauthorized 400 to 401 #175

prashantpandeygit wants to merge 5 commits into from

Conversation

@prashantpandeygit
Copy link
Contributor

@prashantpandeygit prashantpandeygit commented Jan 9, 2026

Pull Request

Description

Convert auth0 400 bad request to 401 unauthorized, as the auth0-fastapi-api library returns error 400 by default for any kind of auth failures, changed the 400s to 401 as it was done before #170 with pyjwt

Fixes #173

@prashantpandeygit prashantpandeygit marked this pull request as ready for review January 9, 2026 12:34
@prashantpandeygit
Copy link
Contributor Author

prashantpandeygit commented Jan 9, 2026

@peterdudfield I have made the override, it will show 401(unauthorized) instead of 400, but will have the description of 401, so either we could keep it to show the correct description or replace the text with "unauthorized access attempt" and below it log the error, whatever you prefer. hope this helps, thanks!

peterdudfield
peterdudfield requested changes Jan 9, 2026
View reviewed changes
src/quartz_api/internal/middleware/auth.py Outdated
claims = await validator_dependency(request)
except HTTPException as e:
if e.status_code == 400:
raise HTTPException(status_code=401, detail=e.detail) from e
Copy link
Contributor

@peterdudfield peterdudfield Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldnt we be raised 403 for unauthorized?
Is there a way to see the e error message? And only raise 403 id its an unauthorized error, but not other ones

Copy link
Contributor Author

@prashantpandeygit prashantpandeygit Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i did 401 as it was done previously with the pyjwt lib, but i will change it to 403 only for unauthorized

peterdudfield
peterdudfield reviewed Jan 12, 2026
View reviewed changes
src/quartz_api/internal/middleware/auth.py
if (
e.status_code == 400 and
isinstance(e.detail, dict) and
e.detail.get("error") == "invalid_request"
Copy link
Contributor

@peterdudfield peterdudfield Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is does invalid_request appear if and only if when the user is not authenticated?

Copy link
Contributor Author

@prashantpandeygit prashantpandeygit Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes only when not authenticated, or missing token (i checked in the library code itself in the venv, as there is no docs for this)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peterdudfield peterdudfield peterdudfield requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dont get 403 if not authenticated

2 participants

@prashantpandeygit @peterdudfield