What HTTP status code for unactivated account?

http httpresponse http-status-codes
12,458

Solution 1

401 means that the user is unknown (not authenticated at all or authenticated incorrectly, e.g. the credentials are invalid).
403 means that the user is known but not authorized (i.e. doesn't have the proper role/group).

You could also interpret a registered but inactivated account as an user having a specific role like "INACTIVE" and/or lacking the proper role. 403 is more appropriate in your particular case.

Solution 2

@Josh Davenport: You described authorization and authentication in each other's place: authentication is credential checking, authorization is role/group assignment.

On the other hand, as you stated in comment to yourself, 401 assumes both failed authentication and authorization in one go. User needs to fail both to get 401. 403 is used in cases where data is completely Forbidden and authentication is not performed/necessary at all.

As an analogy: 401 = checkpoint where credentials are checked. 403 = STOP sign, can't enter.

To answer the question of OP: 401 is logically the status code for unactivated account, BUT since it requires HTTP-Auth implementation, 403 might be used instead of it, if you are authenticating and authorizing by other means. I personally would still stick to 401, since standards don't necessarily cover all real-life situations. Nowadays almost noone use HTTP-Auth for authentication purposes.

Solution 3

If you deem that an account that has not been activated should not be authorised, then the response should surely have a 401 Unauthorized status code.

I think a 403 Forbidden would also be appropriate, yes. However in your case I think 401 Unauthorized is more appropriate.

This answer summarises the two quite well, quoting this for 401 Unauthorized:

If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.

That certainly applies, as your case suggests they have provided credentials but those credentials aren't valid as the account has not been activated (which you deem as unauthorized).

Share:
12,458

Related videos on Youtube

Johnathan Au
Author by

Johnathan Au

Updated on April 11, 2020

Comments

  • Johnathan Au
    Johnathan Au about 4 years

    Which HTTP status code should I respond with after authenticating the user and then finding out that they have not activated their account after registration?

  • Johnathan Au
    Johnathan Au about 11 years
    Wouldn't your previous answer, 403 Forbidden, be more appropriate? Since 401 assumes the user entered the wrong credentials...which they haven't. P.S. you got a nice website
  • Josh Davenport-Smith
    Josh Davenport-Smith about 11 years
    @JohnathanAu Perhaps. However, I don't think that 401 assumes that given credentials are necessarily wrong, just unauthorized.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I use Fiddler to modify the status code in an HTTP response?
Most appropriate HTTP status code for "job in progress"
Download Stream with RestSharp and ResponseWriter
HTTP 200 or 404 for empty list?
HTTP status code for invalid format
Parse a raw HTTP Response in C# to get the Status Code
Extract HTTP Status Code from java.io.IOException
nodejs - fs.createReadStream().pipe, how to know size of file issue
Why does the 304 status code count as a "redirect?"
Conditionally setting the HTTP status without directly manipulating the HttpServletResponse