A 403 returned by this authentication scheme might indicate that the signature is invalid, or that the user doesn't have sufficient permissions.
DRF suggests raising an AuthenticationFailed for a bad signature, resulting in a 401 response (and not bothering to do the permissions check), leaving a 403 to indicate that the user was authenticated but has insufficient permissions. Further, an authenticate_header method could implement a WWW-Authenticate header in the 401 response with signature implementation instructions. i believe this potential exists in all the 3.x DRF releases.
Would that be a welcome PR? i recognize that it could break users' integration tests expecting the current "403" behavior.
A
403returned by this authentication scheme might indicate that the signature is invalid, or that the user doesn't have sufficient permissions.DRF suggests raising an
AuthenticationFailedfor a bad signature, resulting in a401response (and not bothering to do the permissions check), leaving a403to indicate that the user was authenticated but has insufficient permissions. Further, anauthenticate_headermethod could implement aWWW-Authenticateheader in the 401 response with signature implementation instructions. i believe this potential exists in all the 3.x DRF releases.Would that be a welcome PR? i recognize that it could break users' integration tests expecting the current "403" behavior.