Which HTTP status code should I respond with after authenticating the user and then finding out that they have not activated their account after registration?
401 Unauthorized is the status code to return when the client provides no credentials or invalid credentials. 403 Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on a resource.
The HyperText Transfer Protocol (HTTP) 401 Unauthorized response status code indicates that the client request has not been completed because it lacks valid authentication credentials for the requested resource.
A 200-level response means that everything is working exactly as it should. 200: “Everything is OK.” This is the code that is delivered when a web page or resource acts exactly the way it's expected to. 201: “Created.” The server has fulfilled the browser's request, and as a result, has created a new resource.
HTTP StatusCode=0 is associated with incomplete capture of a hit or page and often with a labeling of the hit as: request canceled ("ReqCancelled=Client" "ReqCancelled=Server" or "ReqCancelled=True").
401 means that the user is unknown (not authenticated at all or authenticated incorrectly, e.g. the credentials are invalid).
403 means that the user is known but not authorized (i.e. doesn't have the proper role/group).
You could also interpret a registered but inactivated account as an user having a specific role like "INACTIVE" and/or lacking the proper role. 403 is more appropriate in your particular case.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With