From 28c9f29340a41b2b6b4e1c16d6391932e6c4deff Mon Sep 17 00:00:00 2001
From: Austin McGee <947888+amcgee@users.noreply.github.com>
Date: Mon, 30 Sep 2024 10:03:35 +0200
Subject: [PATCH] fix: use 403 for authorization errors

401 is called "unauthorized" but this is a bug in the HTTP spec - see https://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses

403 should be used if a user is correctly authenticated but does not have sufficient permission to perform an action
---
 server/src/routes/v1/apps/handlers/createAppVersion.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/src/routes/v1/apps/handlers/createAppVersion.js b/server/src/routes/v1/apps/handlers/createAppVersion.js
index 03c0550e5..3f58d5425 100644
--- a/server/src/routes/v1/apps/handlers/createAppVersion.js
+++ b/server/src/routes/v1/apps/handlers/createAppVersion.js
@@ -73,7 +73,7 @@ module.exports = {
             isManager || userApps.map(app => app.app_id).indexOf(appId) !== -1
 
         if (!userCanEditApp) {
-            throw Boom.unauthorized()
+            throw Boom.forbidden()
         }
 
         const versionPayload = request.payload.version