change response code for missing cookie to 403, forbidden - issue #835, issue #1056

1ee3b5f7 · Lloyd Hilaiel · 4e80f218 · 1ee3b5f7 · 1ee3b5f7
Commit 1ee3b5f7 authored 13 years ago by Lloyd Hilaiel
--- a/lib/wsapi.js
+++ b/lib/wsapi.js
@@ -182,7 +182,7 @@ exports.setup = function(options, app) {

                if (req.session === undefined || typeof req.session.csrf !== 'string') { // there must be a session
                  logger.warn("POST calls to /wsapi require a cookie to be sent, this user may have cookies disabled");
-                  return httputils.badRequest(resp, "no cookie");
+                  return httputils.forbidden(resp, "no cookie");
                }

                // and the token must match what is sent in the post body

--- a/tests/no-cookie-test.js
+++ b/tests/no-cookie-test.js
@@ -88,10 +88,10 @@ suite.addBatch({
      }));
      req.end();
    },
-    "returns a 400 with 'no cookie' as the body": function(err, r) {
+    "returns a 403 with 'no cookie' as the body": function(err, r) {
      assert.equal(err, null);
-      assert.equal(r.code, 400);
-      assert.equal(r.body, 'Bad Request: no cookie');
+      assert.equal(r.code, 403);
+      assert.equal(r.body, 'Forbidden: no cookie');
    }
  }
 });