BaseAuthentication Service should return a 401

xh · Sep 17, 2024 · a6570ce · a6570ce
1 parent d90f839
commit a6570ce
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 4 deletions.
diff --git a/src/main/groovy/io/xh/hoist/exception/NotAuthenticatedException.groovy b/src/main/groovy/io/xh/hoist/exception/NotAuthenticatedException.groovy
@@ -0,0 +1,24 @@
+/*
+ * This file belongs to Hoist, an application development toolkit
+ * developed by Extremely Heavy Industries (www.xh.io | [email protected])
+ *
+ * Copyright © 2023 Extremely Heavy Industries Inc.
+ */
+
+package io.xh.hoist.exception
+
+import static org.apache.hc.core5.http.HttpStatus.SC_UNAUTHORIZED
+
+/**
+ * Exception for use when the user making the request is not successfully authenticated,
+ *
+ * This exception is thrown by Hoist's {@link io.xh.hoist.security.BaseAuthenticationService} if
+ * an incoming request cannot be successfully Authenticated.
+ *
+ * Instances of this exception will be sent to clients with HttpStatus 401 ('Unauthorized').
+ */
+class NotAuthenticatedException extends HttpException implements RoutineException {
+    NotAuthenticatedException(String s = 'Not Authenticated') {
+        super(s, null, SC_UNAUTHORIZED)
+    }
+}
diff --git a/src/main/groovy/io/xh/hoist/exception/NotAuthorizedException.groovy b/src/main/groovy/io/xh/hoist/exception/NotAuthorizedException.groovy
@@ -12,12 +12,11 @@ import static org.apache.hc.core5.http.HttpStatus.SC_FORBIDDEN
 /**
  * Exception for use when the authenticated user does not have access to the resource in question.
  *
- * This exception is thrown by Hoist's {@link io.xh.hoist.security.BaseAuthenticationService} if
- * an authenticated user is not found and by {@link io.xh.hoist.security.AccessInterceptor} if an
+ * This exception is thrown by Hoist's by {@link io.xh.hoist.security.AccessInterceptor} if an
  * authenticated user does not have roles required by a controller's `@Access` annotation.
  *
  * Applications may also throw this exception, or subclasses of it, directly in response to requests
- * they cannot fulfill due to auth-related constraints.
+ * they cannot fulfill due to authorization-related constraints.
  *
  * Instances of this exception will be sent to clients with HttpStatus 403 ('Forbidden').
  */

diff --git a/src/main/groovy/io/xh/hoist/security/BaseAuthenticationService.groovy b/src/main/groovy/io/xh/hoist/security/BaseAuthenticationService.groovy
@@ -9,6 +9,7 @@ package io.xh.hoist.security
 import groovy.transform.CompileStatic
 import io.xh.hoist.BaseService
 import io.xh.hoist.exception.HttpException
+import io.xh.hoist.exception.NotAuthenticatedException
 import io.xh.hoist.exception.NotAuthorizedException
 import io.xh.hoist.user.HoistUser
 import io.xh.hoist.user.IdentityService
@@ -114,7 +115,7 @@ abstract class BaseAuthenticationService extends BaseService {
             }
 
             if (!identityService.findAuthUser(request)) {
-                throw new NotAuthorizedException()
+                throw new NotAuthenticatedException()
             }
 
             return true