From 1b145791e5f7f59816e83b0f542c4cba63bdba31 Mon Sep 17 00:00:00 2001
From: dogeystamp <dogeystamp@disroot.org>
Date: Wed, 5 Jul 2023 21:22:14 -0400
Subject: [PATCH] /users/password: return 403 on auth failure

---
 docs/authentication.rst      | 1 +
 sachet/server/users/views.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/authentication.rst b/docs/authentication.rst
index 0795e89..9e8f45b 100644
--- a/docs/authentication.rst
+++ b/docs/authentication.rst
@@ -123,3 +123,4 @@ Use the following request body:
     }
 
 Send the user's current password in ``old``, and Sachet will change it to the password in ``new``.
+If the password is wrong, Sachet will return a ``403``.
diff --git a/sachet/server/users/views.py b/sachet/server/users/views.py
index 3c40aa9..29f29b8 100644
--- a/sachet/server/users/views.py
+++ b/sachet/server/users/views.py
@@ -117,7 +117,7 @@ class PasswordAPI(MethodView):
                         "message": "Invalid 'old' password.",
                     }
                 ),
-                400,
+                403,
             )
         else:
             auth_user.password = auth_user.gen_hash(new_psswd)