-
Bug
-
Resolution: Fixed
-
Normal
-
None
-
None
At some places in the api endpoints, we return 401 Unauthorized error instead of 403 Forbidden for wrong auth token.
For instance, see https://github.com/metabrainz/listenbrainz-server/blob/b28e14f2843f221cd5cbe555c9eabdc50c1a6e36/listenbrainz/webserver/views/user_timeline_event_api.py#L252-L253 .
To be clear, 401 should be returned for missing or invalid token. If the token is valid but not authorized to access a resource, 403 should be returned. Therefore, the above case should be updated to return a 403 error instead. Also, look at other places in the source code and documentation for the same issue.