Return the proper 403 Forbidden error during errors with JWT logins. (#7844)

2025-06-01 12:44:30 -04:00 · 2020-07-15 07:10:21 -04:00 · 2020-07-15 07:10:21 -04:00 · 111e70d75c
commit 111e70d75c
parent 1d9dca02f9
4 changed files with 27 additions and 30 deletions
--- a/synapse/rest/client/v1/login.py
+++ b/synapse/rest/client/v1/login.py
@ -371,7 +371,7 @@ class LoginRestServlet(RestServlet):
        token = login_submission.get("token", None)
        if token is None:
            raise LoginError(
-                401, "Token field for JWT is missing", errcode=Codes.UNAUTHORIZED
+                403, "Token field for JWT is missing", errcode=Codes.FORBIDDEN
            )

        import jwt
@ -387,14 +387,12 @@ class LoginRestServlet(RestServlet):
        except jwt.PyJWTError as e:
            # A JWT error occurred, return some info back to the client.
            raise LoginError(
-                401,
-                "JWT validation failed: %s" % (str(e),),
-                errcode=Codes.UNAUTHORIZED,
+                403, "JWT validation failed: %s" % (str(e),), errcode=Codes.FORBIDDEN,
            )

        user = payload.get("sub", None)
        if user is None:
-            raise LoginError(401, "Invalid JWT", errcode=Codes.UNAUTHORIZED)
+            raise LoginError(403, "Invalid JWT", errcode=Codes.FORBIDDEN)

        user_id = UserID(user, self.hs.hostname).to_string()
        result = await self._complete_login(