You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems the DefaultAuthorizationPostListener is changing the status to 403 even when an authentication challenge response with a 401 status code is set.
The following piece of code probably needs to be added:
Having the same problem when using zf-mvc-auth in Apigility:
There instead of the DefaultAuthorizationPostListener the problem is within the ZF\Apigility\MvcAuth\UnauthorizedListener which doesn't check if a user is authenticated or not e.g. by doing something simple like:
$status = 403;
if ($mvcAuthEvent->getIdentity() instanceof \ZF\MvcAuth\Identity\GuestIdentity) {
$status = 401;
}
$response = new ApiProblemResponse(new ApiProblem($status, 'Forbidden'));
The DefaultAuthorizationPostListener wasn't even called in my debugging cases as the UnauthorizedListener is called before and already returns a response which cancels the EVENT_AUTHORIZATION_POST. But in cases without Apigility the DefaultAuthorizationPostListener could probably do something similar.
I guess I'll add my own listener with higher priority or replace the UnauthorizedListener as there are multiple other issues and closed pull requests with the same unresolved problem. (#97, #106, #107, #127)
It seems the DefaultAuthorizationPostListener is changing the status to 403 even when an authentication challenge response with a 401 status code is set.
The following piece of code probably needs to be added:
Originally posted by @JeSuisAlrick at zfcampus/zf-mvc-auth#109
The text was updated successfully, but these errors were encountered: