Skip to content

Fix HTTP status codes: use 403 for authorization failures on authenticated users #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
awagner-mainz merged 3 commits into from
Feb 8, 2026
Merged

Fix HTTP status codes: use 403 for authorization failures on authenticated users #16

awagner-mainz merged 3 commits into from
Feb 8, 2026
+7 −7

Conversation

Copy link
Contributor

Copilot AI commented Feb 8, 2026
edited
Loading

The codebase was incorrectly returning 401 (Unauthorized) when authenticated users lacked permission to access resources. Per HTTP semantics, 401 indicates authentication failure (missing/invalid credentials), while 403 indicates authorization failure (authenticated but insufficient permissions).

Changes

Handler fixes - Changed 401 to 403 for ownership/permission checks:

  • internal/handlers/llm_services.go: 4 occurrences
    • Share/unshare definition endpoints (lines 306, 356)
    • Create instance from shared definition (line 577)
    • Share instance endpoint (line 852)
  • internal/handlers/projects.go: 1 occurrence
    • Share project endpoint (line 440)

Test updates:

  • internal/handlers/llm_services_sharing_test.go: Updated expectation for access denied scenario (403 instead of 401)

Example change:

// Before: Authenticated user who isn't the owner gets 401
if definition.Owner != ctx.Value(auth.AuthUserKey).(string) {
    return nil, huma.Error401Unauthorized(...)
}

// After: Authenticated user who isn't the owner gets 403
if definition.Owner != ctx.Value(auth.AuthUserKey).(string) {
    return nil, huma.Error403Forbidden(...)
}

All affected cases involved checks where AuthUserKey was already set in context (user authenticated) but authorization failed (not owner/no access). Error messages normalized to lowercase for consistency.

Original prompt

See if the distinction between error responses 401 and 403 is followed correctly and consistently.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits February 8, 2026 17:50
@awagner-mainz
Fix 401/403 distinction: use 403 for authorization failures on authen…
f34fd4f 
…ticated users

Co-authored-by: awagner-mainz <2088443+awagner-mainz@users.noreply.github.com>
@awagner-mainz
Fix error message capitalization for consistency
13482bd 
Co-authored-by: awagner-mainz <2088443+awagner-mainz@users.noreply.github.com>
Copilot AI changed the title [WIP] Review distinction between 401 and 403 error responses Fix HTTP status codes: use 403 for authorization failures on authenticated users Feb 8, 2026
Copilot AI requested a review from awagner-mainz February 8, 2026 17:56
@awagner-mainz awagner-mainz marked this pull request as ready for review February 8, 2026 17:58
@awagner-mainz
Copy link
Contributor

awagner-mainz commented Feb 8, 2026

Looks good.

@awagner-mainz awagner-mainz merged commit 52edc60 into main Feb 8, 2026
1 check passed
@awagner-mainz awagner-mainz deleted the copilot/check-error-response-handling branch February 8, 2026 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@awagner-mainz awagner-mainz Awaiting requested review from awagner-mainz

Assignees

@awagner-mainz awagner-mainz

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@awagner-mainz