I am working on JWT Authentication service that needs to provide JWT token to Angular client app and I have following dilemma:
What service should return in case bad credentials are provided:
Does that make any difference when security is in question?
Service can return both text message and 401 header:
HTTP/1.1 401 Unauthorized Content-Type: application/json
{
"error": "unauthorized"
}
A php can make:
<? echo json_encode("error" = > "Not Authorized");
http_response_code(401);
exit ;
?>
Sometimes I prefer even make a return 404 from the server, a not authorized to the browser can say the caller is in the good way even sending bad token
