Wrong HTTP response code from API for unauthorized request

Request without token:

```s
$ curl -i http://127.0.0.1:1212/api/torrents
HTTP/1.1 500 Internal Server Error
content-type: text/plain; charset=utf-8
content-length: 51
date: Wed, 10 Aug 2022 08:32:46 GMT

Unhandled rejection: Err { reason: "unauthorized" }
```

Request with token:

```s
$ curl -i http://127.0.0.1:1212/api/torrents?token=MyAccessToken
HTTP/1.1 200 OK
content-type: application/json
content-length: 2
date: Wed, 10 Aug 2022 08:45:47 GMT

[]
```

I think the response code should be `401` for this endpoint.

> **NOTE** for other endpoints: if knowing the resource URL implies getting info you should not have, then you should return `404` instead of `403` ([Insecure Direct Object References (IDOR)](https://portswigger.net/web-security/access-control/idor)).

### Links

1. https://auth0.com/blog/forbidden-unauthorized-http-status-codes/
2. https://enterprisecraftsmanship.com/posts/rest-api-response-codes-400-vs-500/


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Wrong HTTP response code from API for unauthorized request #58

Links

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Wrong HTTP response code from API for unauthorized request #58

Description

Links

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions