Fix: Return 401 for API request with Invalid Authorization

api/api/views/oauth2_views.py

@@ -14,6 +14,7 @@
 from drf_spectacular.utils import extend_schema
 from oauth2_provider.generators import generate_client_secret
 from oauth2_provider.views import TokenView as BaseTokenView
+from oauth2_provider.contrib.rest_framework import TokenHasScope
 from redis.exceptions import ConnectionError
 
 from api.docs.oauth2_docs import key_info, register, token
@@ -167,6 +168,8 @@ def post(self, request):
 @extend_schema(tags=["auth"])
 class CheckRates(APIView):
     throttle_classes = (OnePerSecond,)
+    permission_classes = (TokenHasScope,)
+    required_scopes = ["read"]
 
     @key_info
     def get(self, request, format=None):
@@ -180,7 +183,6 @@ def get(self, request, format=None):
         > token has expired.
         """
 
-        # TODO: Replace 403 responses with DRF `authentication_classes`.
         if not request.auth:
             return Response(status=403, data="Forbidden")