use 403 in the response

Signed-off-by: Huabing Zhao <[email protected]>

Author: zhaohuabing

internal/mcpproxy/handlers.go

@@ -543,7 +543,7 @@ func (m *MCPProxy) handleToolCallRequest(ctx context.Context, s *session, w http
 	// Enforce authentication if required by the route.
 	if route.authorization != nil {
 		if !m.authorizeRequest(route.authorization, headers, backendName, toolName, p.Arguments) {
-			onErrorResponse(w, http.StatusUnauthorized, "authorization failed")
+			onErrorResponse(w, http.StatusForbidden, "authorization failed")
 			return fmt.Errorf("authorization failed")
 		}
 	}

tests/e2e/mcp_route_authorization_test.go

@@ -138,7 +138,7 @@ func TestMCPRouteAuthorization(t *testing.T) {
 		})
 		require.Error(t, err)
 		errMsg := strings.ToLower(err.Error())
-		require.True(t, strings.Contains(errMsg, "401") || strings.Contains(errMsg, "authorization"), "unexpected error: %v", err)
+		require.True(t, strings.Contains(errMsg, "403") || strings.Contains(errMsg, "authorization"), "unexpected error: %v", err)
 	})
 
 	t.Run("missing scopes fall back to deny", func(t *testing.T) {
@@ -165,7 +165,7 @@ func TestMCPRouteAuthorization(t *testing.T) {
 		})
 		require.Error(t, err)
 		errMsg := strings.ToLower(err.Error())
-		require.True(t, strings.Contains(errMsg, "401") || strings.Contains(errMsg, "authorization"), "unexpected error: %v", err)
+		require.True(t, strings.Contains(errMsg, "403") || strings.Contains(errMsg, "authorization"), "unexpected error: %v", err)
 	})
 }