DMP-5162 Better differentiate between 403 and 401 errors (#2982)

Dave Thompson · karen-hedges · web-flow · commit 6afba99805a2 · 2025-08-12T18:44:15.000+01:00
Co-authored-by: karen-hedges &lt;133129444+karen-hedges@users.noreply.github.com&gt;
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/audio/controller/AudioRequestsControllerAddAudioRequestDownloadIntTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/audio/controller/AudioRequestsControllerAddAudioRequestDownloadIntTest.java
@@ -87,7 +87,7 @@ void beforeEach() {
     }
 
     @Test
-    void addAudioRequestPostShouldReturnForbiddenError() throws Exception {
+    void addAudioRequestPost_shouldReturn401Error_whenUserNotFound() throws Exception {
 
         when(mockUserIdentity.getUserAccount()).thenReturn(null);
 
@@ -97,7 +97,7 @@ void addAudioRequestPostShouldReturnForbiddenError() throws Exception {
             .header("Content-Type", "application/json")
             .content(objectMapper.writeValueAsString(audioRequestDetails));
 
-        mockMvc.perform(requestBuilder).andExpect(status().isForbidden());
+        mockMvc.perform(requestBuilder).andExpect(status().isUnauthorized());
     }
 
     @Test
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/audio/controller/AudioRequestsControllerAddAudioRequestPlaybackIntTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/audio/controller/AudioRequestsControllerAddAudioRequestPlaybackIntTest.java
@@ -86,7 +86,7 @@ void beforeEach() {
     }
 
     @Test
-    void addAudioRequestPostShouldReturnForbiddenError() throws Exception {
+    void addAudioRequestPost_shouldReturn401Error_whenNoUserAccount() throws Exception {
 
         when(mockUserIdentity.getUserAccount()).thenReturn(null);
 
@@ -96,7 +96,7 @@ void addAudioRequestPostShouldReturnForbiddenError() throws Exception {
             .header("Content-Type", "application/json")
             .content(objectMapper.writeValueAsString(audioRequestDetails));
 
-        mockMvc.perform(requestBuilder).andExpect(status().isForbidden());
+        mockMvc.perform(requestBuilder).andExpect(status().isUnauthorized());
     }
 
     @Test
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/authentication/controller/impl/TokenValidatorTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/authentication/controller/impl/TokenValidatorTest.java
@@ -115,7 +115,7 @@ void testInactiveUserCheck() throws Exception {
 
         mockMvc.perform(get(ENDPOINT_URL).header("Authorization", "Bearer " + tokenDetails.getToken()))
             .andExpect(status().isForbidden())
-            .andExpect(content().json("{\"type\":\"AUTHORISATION_106\",\"title\":\"Could not obtain user details\",\"status\":403}"))
+            .andExpect(content().json("{\"type\":\"AUTHORISATION_114\",\"title\":\"User is not active\",\"status\":403}"))
             .andReturn();
     }
 
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/authorisation/controller/AuthorisationControllerIntTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/authorisation/controller/AuthorisationControllerIntTest.java
@@ -465,7 +465,7 @@ void getUserStateShouldSucceedWhenUserHasADiverseSetOfAssignedGroups() throws Ex
 
     @Test
     @WithMockSecurityContextWithEmailAddress(emailAddress = EMAIL_ADDRESS)
-    void getUserStateShouldFailWhenUserIsInactive() throws Exception {
+    void getUserState_shouldReturn403Error_whenUserIsInactive() throws Exception {
         // Given
         createAndSaveUser(EMAIL_ADDRESS, false);
 
@@ -478,8 +478,8 @@ void getUserStateShouldFailWhenUserIsInactive() throws Exception {
         // Then
         JSONAssert.assertEquals("""
                                     {
-                                      "type": "AUTHORISATION_106",
-                                      "title": "Could not obtain user details",
+                                      "type": "AUTHORISATION_114",
+                                      "title": "User is not active",
                                       "status": 403
                                     }""",
                                 mvcResult.getResponse().getContentAsString(),
@@ -489,22 +489,22 @@ void getUserStateShouldFailWhenUserIsInactive() throws Exception {
 
     @Test
     @WithMockSecurityContextWithEmailAddress(emailAddress = "unknown@test.com")
-    void getUserStateShouldFailWhenUserEmailDoesNotExistInDatabase() throws Exception {
+    void getUserState_shouldReturn401Error_whenUserEmailDoesNotExistInDatabase() throws Exception {
         // Given
         createAndSaveUser(EMAIL_ADDRESS, true);
 
         // When
         MvcResult mvcResult = mockMvc.perform(
                 get(ENDPOINT))
-            .andExpect(status().isForbidden())
+            .andExpect(status().isUnauthorized())
             .andReturn();
 
         // Then
         JSONAssert.assertEquals("""
                                     {
                                       "type": "AUTHORISATION_106",
                                       "title": "Could not obtain user details",
-                                      "status": 403
+                                      "status": 401
                                     }""",
                                 mvcResult.getResponse().getContentAsString(),
                                 JSONCompareMode.NON_EXTENSIBLE
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/cases/controller/CaseControllerGetAnnotationsIntTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/cases/controller/CaseControllerGetAnnotationsIntTest.java
@@ -207,6 +207,16 @@ void givenSuperUserReturnForbidden() throws Exception {
         verifyNoMoreInteractions(mockUserIdentity);
     }
 
+    @Test
+    void casesGetAnnotationsEndpoint_shouldReturn401Error_whenUserNotFound() throws Exception {
+        CourtCaseEntity courtCaseEntity = dartsDatabase.createCase("Bristol", "case1");
+
+        mockMvc.perform(get("/cases/" + courtCaseEntity.getId() + "/annotations")
+                            .header("user_id", "9999999999"))
+
+            .andExpect(status().isUnauthorized());
+    }
+
     @Test
     void givenUserRequestsNonExistingHearingThenReturn404() throws Exception {
         UserAccountEntity testUser = dartsDatabase.getUserAccountStub()
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/cases/controller/CaseControllerGetCaseByIdTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/cases/controller/CaseControllerGetCaseByIdTest.java
@@ -63,13 +63,13 @@ private void setupData() {
     }
 
     @Test
-    void casesSearchGetEndpointShouldReturnForbiddenError() throws Exception {
+    void casesSearchGetEndpoint_shouldReturn401Error_whenUserNotFound() throws Exception {
         setupData();
         when(mockUserIdentity.getUserAccount()).thenReturn(null);
 
         MockHttpServletRequestBuilder requestBuilder = get(endpointUrl, getCaseId(SOME_CASE_NUMBER, SOME_COURTHOUSE));
 
-        mockMvc.perform(requestBuilder).andExpect(status().isForbidden());
+        mockMvc.perform(requestBuilder).andExpect(status().isUnauthorized());
     }
 
     @Test
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/cases/controller/CaseControllerGetCaseHearingsTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/cases/controller/CaseControllerGetCaseHearingsTest.java
@@ -78,7 +78,7 @@ void setUp() {
     }
 
     @Test
-    void caseHearingsGetEndpointShouldReturnForbidden() throws Exception {
+    void caseHearingsGet_shouldReturn401Error_whenUserNotFound() throws Exception {
         Mockito.reset(authentication);
 
         // a user that does not exist in the db
@@ -90,12 +90,12 @@ void caseHearingsGetEndpointShouldReturnForbidden() throws Exception {
 
         MockHttpServletRequestBuilder requestBuilder = get(endpointUrl, hearingEntity.getCourtCase().getId());
 
-        MvcResult response = mockMvc.perform(requestBuilder).andExpect(status().isForbidden()).andReturn();
+        MvcResult response = mockMvc.perform(requestBuilder).andExpect(status().isUnauthorized()).andReturn();
 
         String actualResponse = response.getResponse().getContentAsString();
 
         String expectedResponse = """
-            {"type":"AUTHORISATION_106","title":"Could not obtain user details","status":403}
+            {"type":"AUTHORISATION_106","title":"Could not obtain user details","status":401}
             """;
         JSONAssert.assertEquals(expectedResponse, actualResponse, JSONCompareMode.NON_EXTENSIBLE);
     }
@@ -252,7 +252,7 @@ void caseHearingsWithInactiveUser() throws Exception {
         MockHttpServletRequestBuilder requestBuilder = get(endpointUrl, hearingEntity.getCourtCase().getId());
 
         mockMvc.perform(requestBuilder).andExpect(status().isForbidden()).andExpect(jsonPath("$.type").value(
-            AuthorisationError.USER_DETAILS_INVALID.getType()));
+            AuthorisationError.USER_NOT_ACTIVE.getType()));
     }
 
 }
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/cases/controller/CaseControllerGetEventByCaseIdTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/cases/controller/CaseControllerGetEventByCaseIdTest.java
@@ -90,15 +90,15 @@ void setUp() {
     }
 
     @Test
-    void casesGetEventsEndpointShouldReturnForbiddenError() throws Exception {
+    void casesGetEventsEndpoint_shouldReturn401Error_whenNoUserExists() throws Exception {
 
         when(mockUserIdentity.getUserAccount()).thenReturn(null);
 
         MockHttpServletRequestBuilder requestBuilder = get(ENDPOINT_URL, getCaseId(SOME_CASE_NUMBER, SOME_COURTHOUSE))
             .queryParam("page_number", "1")
             .queryParam("page_size", "1");
 
-        mockMvc.perform(requestBuilder).andExpect(MockMvcResultMatchers.status().isForbidden());
+        mockMvc.perform(requestBuilder).andExpect(MockMvcResultMatchers.status().isUnauthorized());
     }
 
     @Test
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/cases/controller/CaseControllerSearchPostTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/cases/controller/CaseControllerSearchPostTest.java
@@ -503,10 +503,10 @@ void casesSearchPostEndpointJudgeName() throws Exception {
     }
 
     @Test
-    void casesSearchPostEndpointJudgeNameInactive() throws Exception {
-        user = dartsDatabase.getUserAccountStub().createJudgeUser();
+    void casesSearchPost_shouldReturn403Error_whenUserIsInactive() throws Exception {
+        user = dartsDatabase.getUserAccountStub().getIntegrationTestUserAccountEntity();
         user.setActive(false);
-        setupUserAccountAndSecurityGroup(swanseaCourthouse);
+        userAccountRepository.save(user);
 
         String requestBody = """
             {
@@ -521,8 +521,7 @@ void casesSearchPostEndpointJudgeNameInactive() throws Exception {
             .contentType(MediaType.APPLICATION_JSON_VALUE)
             .content(requestBody);
         mockMvc.perform(requestBuilder).andExpect(status().isForbidden()).andExpect(jsonPath("$.type").value(
-            AuthorisationError.USER_DETAILS_INVALID.getType()));
-
+            AuthorisationError.USER_NOT_ACTIVE.getType()));
     }
 
     @Test
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/common/controller/CourthouseApiTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/common/controller/CourthouseApiTest.java
@@ -289,7 +289,7 @@ void courthousesGet_ThreeCourthousesAssignedToUser() throws Exception {
     }
 
     @Test
-    void courthousesGet_ThreeCourthousesAssignedToUserInactive() throws Exception {
+    void courthousesGet_shouldReturn403Error_whenUserInactive() throws Exception {
         String courthouseName = "courthousetest";
         UserAccountEntity userAccountEntity = userStub.createAuthorisedIntegrationTestUser(false, courthouseName);
         userAccountEntity.setActive(false);
@@ -300,7 +300,7 @@ void courthousesGet_ThreeCourthousesAssignedToUserInactive() throws Exception {
         MockHttpServletRequestBuilder requestBuilder = get("/courthouses")
             .contentType(MediaType.APPLICATION_JSON_VALUE);
         mockMvc.perform(requestBuilder).andExpect(status().isForbidden()).andExpect(jsonPath("$.type").value(
-            AuthorisationError.USER_DETAILS_INVALID.getType()));
+            AuthorisationError.USER_NOT_ACTIVE.getType()));
     }
 
     @Test
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/hearings/controller/HearingsGetControllerTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/hearings/controller/HearingsGetControllerTest.java
@@ -126,7 +126,7 @@ void errorGetNotFound() throws Exception {
     }
 
     @Test
-    void hearingsGetEndpointShouldReturnForbiddenError() throws Exception {
+    void hearingsGet_shouldReturn401Error_whenUserNotFound() throws Exception {
 
         HearingEntity hearing = dartsDatabase.createHearing(
             "testCourthouse",
@@ -144,13 +144,13 @@ void hearingsGetEndpointShouldReturnForbiddenError() throws Exception {
         MockHttpServletRequestBuilder requestBuilder = get(ENDPOINT_URL, hearing.getId());
 
         MvcResult response = mockMvc.perform(requestBuilder)
-            .andExpect(MockMvcResultMatchers.status().isForbidden())
+            .andExpect(MockMvcResultMatchers.status().isUnauthorized())
             .andReturn();
 
         String actualResponse = response.getResponse().getContentAsString();
 
         String expectedResponse = """
-            {"type":"AUTHORISATION_106","title":"Could not obtain user details","status":403}
+            {"type":"AUTHORISATION_106","title":"Could not obtain user details","status":401}
             """;
         JSONAssert.assertEquals(expectedResponse, actualResponse, JSONCompareMode.NON_EXTENSIBLE);
     }
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/hearings/controller/HearingsGetEventsControllerTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/hearings/controller/HearingsGetEventsControllerTest.java
@@ -140,20 +140,20 @@ void errorGetNotFound() throws Exception {
     }
 
     @Test
-    void hearingEventsGetEndpointShouldReturnForbiddenError() throws Exception {
+    void hearingEventsGet_shouldReturn401Error_whenUserNotFound() throws Exception {
         transactionalUtil.executeInTransaction(this::setUp);
 
         when(mockUserIdentity.getUserAccount()).thenReturn(null);
 
         MockHttpServletRequestBuilder requestBuilder = get(ENDPOINT_URL, hearingEntity.getId());
         MvcResult response = mockMvc.perform(requestBuilder)
-            .andExpect(MockMvcResultMatchers.status().isForbidden())
+            .andExpect(MockMvcResultMatchers.status().isUnauthorized())
             .andReturn();
 
         String actualResponse = response.getResponse().getContentAsString();
 
         String expectedResponse = """
-            {"type":"AUTHORISATION_106","title":"Could not obtain user details","status":403}
+            {"type":"AUTHORISATION_106","title":"Could not obtain user details","status":401}
             """;
         JSONAssert.assertEquals(expectedResponse, actualResponse, JSONCompareMode.NON_EXTENSIBLE);
 
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/transcriptions/controller/TranscriptionControllerAttachTranscriptIntTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/transcriptions/controller/TranscriptionControllerAttachTranscriptIntTest.java
@@ -113,7 +113,8 @@ void beforeEach() {
     }
 
     @Test
-    void attachTranscript_shouldReturn403Error_whenUserDoesNotHavePermission() throws Exception {
+    void attachTranscript_shouldReturn401Error_whenUserNotFound() throws Exception {
+
         when(mockUserIdentity.getUserAccount()).thenReturn(null);
 
         MockMultipartFile transcript = new MockMultipartFile(
@@ -128,13 +129,13 @@ void attachTranscript_shouldReturn403Error_whenUserDoesNotHavePermission() throw
                     URL_TEMPLATE,
                     transcriptionId
                 ).file(transcript))
-            .andExpect(status().isForbidden())
+            .andExpect(status().isUnauthorized())
             .andReturn();
 
         String actualResponse = mvcResult.getResponse().getContentAsString();
 
         String expectedResponse = """
-            {"type":"AUTHORISATION_106","title":"Could not obtain user details","status":403}
+            {"type":"AUTHORISATION_106","title":"Could not obtain user details","status":401}
             """;
         JSONAssert.assertEquals(expectedResponse, actualResponse, JSONCompareMode.NON_EXTENSIBLE);
 
diff --git a/src/integrationTest/java/uk/gov/hmcts/darts/transcriptions/controller/TranscriptionControllerDownloadTranscriptIntTest.java b/src/integrationTest/java/uk/gov/hmcts/darts/transcriptions/controller/TranscriptionControllerDownloadTranscriptIntTest.java
@@ -139,7 +139,7 @@ void beforeEach() {
     }
 
     @Test
-    void downloadTranscriptShouldReturnForbiddenError() throws Exception {
+    void downloadTranscript_shouldReturn401Error_whenUserNotFound() throws Exception {
         when(mockUserIdentity.getUserAccount()).thenReturn(null);
 
         MockHttpServletRequestBuilder requestBuilder = MockMvcRequestBuilders.get(URL_TEMPLATE, transcriptionId)
@@ -149,13 +149,13 @@ void downloadTranscriptShouldReturnForbiddenError() throws Exception {
                 "application/vnd.openxmlformats-officedocument.wordprocessingml.document"
             );
         MvcResult mvcResult = mockMvc.perform(requestBuilder)
-            .andExpect(status().isForbidden())
+            .andExpect(status().isUnauthorized())
             .andReturn();
 
         String actualResponse = mvcResult.getResponse().getContentAsString();
 
         String expectedResponse = """
-            {"type":"AUTHORISATION_106","title":"Could not obtain user details","status":403}
+            {"type":"AUTHORISATION_106","title":"Could not obtain user details","status":401}
             """;
         JSONAssert.assertEquals(expectedResponse, actualResponse, JSONCompareMode.NON_EXTENSIBLE);
 
diff --git a/src/main/java/uk/gov/hmcts/darts/authorisation/component/impl/UserIdentityImpl.java b/src/main/java/uk/gov/hmcts/darts/authorisation/component/impl/UserIdentityImpl.java
@@ -22,6 +22,7 @@
 
 import static java.util.Objects.nonNull;
 import static uk.gov.hmcts.darts.authorisation.exception.AuthorisationError.USER_DETAILS_INVALID;
+import static uk.gov.hmcts.darts.authorisation.exception.AuthorisationError.USER_NOT_ACTIVE;
 
 @Component
 @AllArgsConstructor
@@ -49,8 +50,14 @@ public UserAccountEntity getUserAccount() {
 
     @Override
     public UserAccountEntity getUserAccount(Jwt jwt) {
-        return getUserAccountOptional(jwt)
-            .orElseThrow(() -> new DartsApiException(USER_DETAILS_INVALID));
+        var userAccount = getUserAccountOptional(jwt);
+        if (userAccount.isEmpty()) {
+            throw new DartsApiException(USER_DETAILS_INVALID);
+        }
+        if (!userAccount.get().isActive()) {
+            throw new DartsApiException(USER_NOT_ACTIVE);
+        }
+        return userAccount.get();
     }
 
     @Override
@@ -66,9 +73,15 @@ public Optional<UserAccountEntity> getUserAccountOptional(Jwt jwt) {
         }
 
         String emailAddressFromToken = EmailAddressFromTokenUtil.getEmailAddressFromToken(jwt);
-        return userAccountRepository.findByEmailAddressIgnoreCaseAndActive(emailAddressFromToken, true)
-            .stream()
-            .findFirst();
+        List<UserAccountEntity> userAccounts = userAccountRepository.findByEmailAddressIgnoreCase(emailAddressFromToken);
+
+        var activeUserAccount = userAccounts.stream().filter(UserAccountEntity::isActive).findFirst();
+        if (activeUserAccount.isPresent()) {
+            return activeUserAccount;
+        }
+
+        // return remaining inactive user account if no active user account found, else empty optional
+        return userAccounts.stream().findFirst();
     }
 
     @Override
diff --git a/src/main/java/uk/gov/hmcts/darts/authorisation/exception/AuthorisationError.java b/src/main/java/uk/gov/hmcts/darts/authorisation/exception/AuthorisationError.java
@@ -43,9 +43,14 @@ public enum AuthorisationError implements DartsApiError {
     ),
     USER_DETAILS_INVALID(
         AuthorisationErrorCode.USER_DETAILS_INVALID.getValue(),
-        HttpStatus.FORBIDDEN,
+        HttpStatus.UNAUTHORIZED,
         AuthorisationTitleErrors.USER_DETAILS_INVALID.toString()
     ),
+    USER_NOT_ACTIVE(
+        AuthorisationErrorCode.USER_NOT_ACTIVE.getValue(),
+        HttpStatus.FORBIDDEN,
+        AuthorisationTitleErrors.USER_NOT_ACTIVE.toString()
+    ),
     BAD_REQUEST_ANY_ID(
         AuthorisationErrorCode.BAD_REQUEST_ANY_ID.getValue(),
         HttpStatus.FORBIDDEN,
diff --git a/src/main/java/uk/gov/hmcts/darts/common/config/security/SecurityConfig.java b/src/main/java/uk/gov/hmcts/darts/common/config/security/SecurityConfig.java
diff --git a/src/main/java/uk/gov/hmcts/darts/common/exception/DartsApiTrait.java b/src/main/java/uk/gov/hmcts/darts/common/exception/DartsApiTrait.java
diff --git a/src/main/java/uk/gov/hmcts/darts/common/repository/UserAccountRepository.java b/src/main/java/uk/gov/hmcts/darts/common/repository/UserAccountRepository.java
diff --git a/src/main/resources/openapi/common.yaml b/src/main/resources/openapi/common.yaml

Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ void beforeEach() {`
`87`	`87`	`}`
`88`	`88`
`89`	`89`	`@Test`
`90`		`- void addAudioRequestPostShouldReturnForbiddenError() throws Exception {`
	`90`	`+ void addAudioRequestPost_shouldReturn401Error_whenUserNotFound() throws Exception {`
`91`	`91`
`92`	`92`	`when(mockUserIdentity.getUserAccount()).thenReturn(null);`
`93`	`93`
`@@ -97,7 +97,7 @@ void addAudioRequestPostShouldReturnForbiddenError() throws Exception {`
`97`	`97`	`.header("Content-Type", "application/json")`
`98`	`98`	`.content(objectMapper.writeValueAsString(audioRequestDetails));`
`99`	`99`
`100`		`- mockMvc.perform(requestBuilder).andExpect(status().isForbidden());`
	`100`	`+ mockMvc.perform(requestBuilder).andExpect(status().isUnauthorized());`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`@Test`
Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ void beforeEach() {`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`@Test`
`89`		`- void addAudioRequestPostShouldReturnForbiddenError() throws Exception {`
	`89`	`+ void addAudioRequestPost_shouldReturn401Error_whenNoUserAccount() throws Exception {`
`90`	`90`
`91`	`91`	`when(mockUserIdentity.getUserAccount()).thenReturn(null);`
`92`	`92`
`@@ -96,7 +96,7 @@ void addAudioRequestPostShouldReturnForbiddenError() throws Exception {`
`96`	`96`	`.header("Content-Type", "application/json")`
`97`	`97`	`.content(objectMapper.writeValueAsString(audioRequestDetails));`
`98`	`98`
`99`		`- mockMvc.perform(requestBuilder).andExpect(status().isForbidden());`
	`99`	`+ mockMvc.perform(requestBuilder).andExpect(status().isUnauthorized());`
`100`	`100`	`}`
`101`	`101`
`102`	`102`	`@Test`
Original file line number	Diff line number	Diff line change
`@@ -115,7 +115,7 @@ void testInactiveUserCheck() throws Exception {`
`115`	`115`
`116`	`116`	`mockMvc.perform(get(ENDPOINT_URL).header("Authorization", "Bearer " + tokenDetails.getToken()))`
`117`	`117`	`.andExpect(status().isForbidden())`
`118`		`- .andExpect(content().json("{\"type\":\"AUTHORISATION_106\",\"title\":\"Could not obtain user details\",\"status\":403}"))`
	`118`	`+ .andExpect(content().json("{\"type\":\"AUTHORISATION_114\",\"title\":\"User is not active\",\"status\":403}"))`
`119`	`119`	`.andReturn();`
`120`	`120`	`}`
`121`	`121`
Original file line number	Diff line number	Diff line change
`@@ -63,13 +63,13 @@ private void setupData() {`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`@Test`
`66`		`- void casesSearchGetEndpointShouldReturnForbiddenError() throws Exception {`
	`66`	`+ void casesSearchGetEndpoint_shouldReturn401Error_whenUserNotFound() throws Exception {`
`67`	`67`	`setupData();`
`68`	`68`	`when(mockUserIdentity.getUserAccount()).thenReturn(null);`
`69`	`69`
`70`	`70`	`MockHttpServletRequestBuilder requestBuilder = get(endpointUrl, getCaseId(SOME_CASE_NUMBER, SOME_COURTHOUSE));`
`71`	`71`
`72`		`- mockMvc.perform(requestBuilder).andExpect(status().isForbidden());`
	`72`	`+ mockMvc.perform(requestBuilder).andExpect(status().isUnauthorized());`
`73`	`73`	`}`
`74`	`74`
`75`	`75`	`@Test`
Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ void setUp() {`
`78`	`78`	`}`
`79`	`79`
`80`	`80`	`@Test`
`81`		`- void caseHearingsGetEndpointShouldReturnForbidden() throws Exception {`
	`81`	`+ void caseHearingsGet_shouldReturn401Error_whenUserNotFound() throws Exception {`
`82`	`82`	`Mockito.reset(authentication);`
`83`	`83`
`84`	`84`	`// a user that does not exist in the db`
`@@ -90,12 +90,12 @@ void caseHearingsGetEndpointShouldReturnForbidden() throws Exception {`
`90`	`90`
`91`	`91`	`MockHttpServletRequestBuilder requestBuilder = get(endpointUrl, hearingEntity.getCourtCase().getId());`
`92`	`92`
`93`		`- MvcResult response = mockMvc.perform(requestBuilder).andExpect(status().isForbidden()).andReturn();`
	`93`	`+ MvcResult response = mockMvc.perform(requestBuilder).andExpect(status().isUnauthorized()).andReturn();`
`94`	`94`
`95`	`95`	`String actualResponse = response.getResponse().getContentAsString();`
`96`	`96`
`97`	`97`	`String expectedResponse = """`
`98`		`- {"type":"AUTHORISATION_106","title":"Could not obtain user details","status":403}`
	`98`	`+ {"type":"AUTHORISATION_106","title":"Could not obtain user details","status":401}`
`99`	`99`	`""";`
`100`	`100`	`JSONAssert.assertEquals(expectedResponse, actualResponse, JSONCompareMode.NON_EXTENSIBLE);`
`101`	`101`	`}`
`@@ -252,7 +252,7 @@ void caseHearingsWithInactiveUser() throws Exception {`
`252`	`252`	`MockHttpServletRequestBuilder requestBuilder = get(endpointUrl, hearingEntity.getCourtCase().getId());`
`253`	`253`
`254`	`254`	`mockMvc.perform(requestBuilder).andExpect(status().isForbidden()).andExpect(jsonPath("$.type").value(`
`255`		`- AuthorisationError.USER_DETAILS_INVALID.getType()));`
	`255`	`+ AuthorisationError.USER_NOT_ACTIVE.getType()));`
`256`	`256`	`}`
`257`	`257`
`258`	`258`	`}`
Original file line number	Diff line number	Diff line change
`@@ -90,15 +90,15 @@ void setUp() {`
`90`	`90`	`}`
`91`	`91`
`92`	`92`	`@Test`
`93`		`- void casesGetEventsEndpointShouldReturnForbiddenError() throws Exception {`
	`93`	`+ void casesGetEventsEndpoint_shouldReturn401Error_whenNoUserExists() throws Exception {`
`94`	`94`
`95`	`95`	`when(mockUserIdentity.getUserAccount()).thenReturn(null);`
`96`	`96`
`97`	`97`	`MockHttpServletRequestBuilder requestBuilder = get(ENDPOINT_URL, getCaseId(SOME_CASE_NUMBER, SOME_COURTHOUSE))`
`98`	`98`	`.queryParam("page_number", "1")`
`99`	`99`	`.queryParam("page_size", "1");`
`100`	`100`
`101`		`- mockMvc.perform(requestBuilder).andExpect(MockMvcResultMatchers.status().isForbidden());`
	`101`	`+ mockMvc.perform(requestBuilder).andExpect(MockMvcResultMatchers.status().isUnauthorized());`
`102`	`102`	`}`
`103`	`103`
`104`	`104`	`@Test`