Prompt
When implementing authentication and authorization systems, use semantically correct HTTP status codes to accurately convey the nature of security-related failures. This improves API security by providing accurate information to clients without exposing unnecessary details.
Specifically:
- Use 403 Forbidden when a user is authenticated but lacks authorization (e.g., inactive user, insufficient permissions)
- Use 401 Unauthorized for authentication failures (invalid or missing credentials)
- Use 400 Bad Request only for malformed client requests
Example implementation:
async def get_current_active_user(current_user: User = Depends(get_current_user)):
if current_user.disabled:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN, detail="Inactive user"
)
return current_user
This approach follows REST principles and improves security by providing consistent and accurate status codes that properly communicate authorization states without revealing implementation details.