Rename `UnauthenticatedException` -> `UnauthorizedException` and `UnauthorizedException` -> `ForbiddenException`

Question

Rename `UnauthenticatedException` -> `UnauthorizedException` and `UnauthorizedException` -> `ForbiddenException`

jmphilli-cash opened this issue 4 months ago · comments

It looks like we rename these underlying http status codes when in gets packaged as a class. See here

This is very confusing.
HTTP 401 is canonically Unauthorized.
HTTP 403 is canonically Forbidden.
There is no "unauthenticated" status code.

This rename means users reaching for an Unauthorized http status (401) will inadvertently return a 403. Users looking for a Forbidden http status will be confused and have to dig.

We should be able to simply add a ForbiddenException to handle the 403 case. Then we can deprecate the older UnauthorizedException.
We can also introduce UnauthorizedExceptionV2 and deprecate the UnauthenticatedException.

Francisco Rojas · Answer 1 · Thu Apr 11 2024 04:15:34 GMT+0800 (China Standard Time)

These names are higher-level concepts meant to describe action exceptions independently of the protocols used to be transmitted (e.g., HTTP and gRPC)

gRPC uses UNAUTHENTICATED instead of the HTTP Unauthorized which can leads even to further confusion.

Open to talk more about it if you feel strongly about this.

justin phillips · Answer 2 · Thu Apr 11 2024 04:30:08 GMT+0800 (China Standard Time)

These exceptions include HTTP codes
code pointer

Francisco Rojas · Answer 3 · Mon Apr 15 2024 04:25:19 GMT+0800 (China Standard Time)

The WebActionException includes the grpcStatus as well. These fields are used by the WebActionExceptionMapper to know how to translate to the relevant response depending on the protocol.