New to Tyk. Currently using cloud.
I’ve set up an API and generated a key.
If I use that key as the auth header and request against that api I get 200 OK, which is cool.
If I however use a different made up key or indeed delete the key I get 403 Forbidden, which I see as a problem.
TL;DR is there a way to change 403 to 401 on key not found?
When integrating with my application I use 403 Forbidden when an authenticated user attempts to access an unauthorized resource, eg a normal user attempting to access an admin only resource. On an 403 response the user is show a message explaining that resource is locked for them and they need to contact someone if they want access.
However I would expect that if a request arrives and the auth key is not known then the result is 401 Unauthenticated. The user is not being forbidden from accessing the resource, I simply don’t know who the user is at all! The result of this would be the user being kicked back to the login screen and asked to log in again. ie re-authenticate so I know who you are before deciding if you’re allowed the resource.
The issue arises when a previously authenticated user is using the application with a key issued by Tyk. If our admins decide that user is acting nefariously they could delete the key from Tyk’s storage. Tyk now starts responding with 403s, forbidding the user from access to any resource when in actuality it should respond with 401s indicating the system no longer knows who the user is and they need to log in again.
Is there a way to change the default behaviour of 403 on key not found to 401?