From 3e55057a8574af83e42ec96041283111e34ef7d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?= <jonas@wielicki.name>
Date: Tue, 19 Oct 2021 16:37:32 +0200
Subject: mod_http_file_share: return 401 instead of 403 if authentication
 failed

This is as per the HTTP standards [1]. Thankfully, the REQUIRED
www-authenticate header is already generated by the code.

   [1]: https://datatracker.ietf.org/doc/html/rfc7235#section-3.1
---
 plugins/mod_http_file_share.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua
index 55b24b91..b05dd742 100644
--- a/plugins/mod_http_file_share.lua
+++ b/plugins/mod_http_file_share.lua
@@ -249,7 +249,7 @@ function handle_upload(event, path) -- PUT /upload/:slot
 	if not authz then
 		module:log("debug", "Missing or malformed Authorization header");
 		event.response.headers.www_authenticate = "Bearer";
-		return 403;
+		return 401;
 	end
 	local authed, upload_info = jwt.verify(secret, authz);
 	if not (authed and type(upload_info) == "table" and type(upload_info.exp) == "number") then
-- 
cgit v1.2.3