Return 401 instead of 403 response for invalid token

[mihow]

Right now both permission denied & invalid token errors return 403 responses. It would be nice to know if a user was actually logged out, or if a user is still logged in but isn't authorized to do something.

I am willing to fork or add a workaround if someone is able to give me guidance on where to make the change.

Thanks!

[tomwojcik]

You're talking about a case when the token WAS valid but it either expired or was removed from the DB? If so, then I think you're right, it should rather return 401. We handle that in UserViewSet.permission_denied.

Please start by writing test cases. Once you fork and clone the repo, make init is all you need (if you have poetry).

Let me know if you need additional help!

Note that we already have some tests where 401 is returned.

./testapp/tests/test_user_detail.py:43:        self.assert_status_equal(response, status.HTTP_401_UNAUTHORIZED)
./testapp/tests/test_user_list.py:24:        self.assert_status_equal(response, status.HTTP_401_UNAUTHORIZED)
./testapp/tests/test_token_destroy.py:34:        self.assert_status_equal(response, status.HTTP_401_UNAUTHORIZED)