Rename `UnauthenticatedException` -> `UnauthorizedException` and `UnauthorizedException` -> `ForbiddenException`
jmphilli-cash opened this issue · comments
It looks like we rename these underlying http status codes when in gets packaged as a class. See here
This is very confusing.
HTTP 401 is canonically Unauthorized
.
HTTP 403 is canonically Forbidden
.
There is no "unauthenticated" status code.
This rename means users reaching for an Unauthorized
http status (401) will inadvertently return a 403. Users looking for a Forbidden
http status will be confused and have to dig.
We should be able to simply add a ForbiddenException
to handle the 403 case. Then we can deprecate the older UnauthorizedException
.
We can also introduce UnauthorizedExceptionV2
and deprecate the UnauthenticatedException
.
These names are higher-level concepts meant to describe action exceptions independently of the protocols used to be transmitted (e.g., HTTP and gRPC)
gRPC uses UNAUTHENTICATED instead of the HTTP Unauthorized which can leads even to further confusion.
Open to talk more about it if you feel strongly about this.
These exceptions include HTTP codes
code pointer
The WebActionException
includes the grpcStatus as well. These fields are used by the WebActionExceptionMapper to know how to translate to the relevant response depending on the protocol.