Set a 400+ status when throwing WP_Errors

src/Auth.php

@@ -132,6 +132,8 @@ protected static function get_signed_token( $user, $cap_check = true ) {
 		 * Only allow the currently signed in user access to a JWT token
 		 */
 		if ( true === $cap_check && get_current_user_id() !== $user->ID || 0 === $user->ID ) {
+			// See https://github.com/wp-graphql/wp-graphql-jwt-authentication/issues/111
+			self::set_status(400);
 			return new \WP_Error( 'graphql-jwt-no-permissions', __( 'Only the user requesting a token can get a token issued for them', 'wp-graphql-jwt-authentication' ) );
 		}
 
@@ -454,7 +456,8 @@ public static function revoke_user_secret( $user_id ) {
 			return true;
 
 		} else {
-
+			// See https://github.com/wp-graphql/wp-graphql-jwt-authentication/issues/111
+			self::set_status(401);
 			return new \WP_Error( 'graphql-jwt-auth-cannot-revoke-secret', __( 'The JWT Auth Secret cannot be revoked for this user', 'wp-graphql-jwt-authentication' ) );
 
 		}
@@ -494,7 +497,8 @@ public static function unrevoke_user_secret( int $user_id ) {
 			return true;
 
 		} else {
-
+			// See https://github.com/wp-graphql/wp-graphql-jwt-authentication/issues/111
+			self::set_status(401);
 			return new \WP_Error( 'graphql-jwt-auth-cannot-unrevoke-secret', __( 'The JWT Auth Secret cannot be unrevoked for this user', 'wp-graphql-jwt-authentication' ) );
 
 		}
@@ -555,6 +559,7 @@ public static function validate_token( $token = null, $refresh = false ) {
 		 * If there's no secret key, throw an error as there needs to be a secret key for Auth to work properly
 		 */
 		if ( ! self::get_secret_key() ) {
+			// See https://github.com/wp-graphql/wp-graphql-jwt-authentication/issues/111
 			self::set_status( 403 );
 			return new \WP_Error( 'invalid-secret-key', __( 'JWT is not configured properly', 'wp-graphql-jwt-authentication' ) );
 		}
@@ -586,13 +591,17 @@ public static function validate_token( $token = null, $refresh = false ) {
 		 * The Token is decoded now validate the iss
 		 */
 		if ( ! isset( $token->iss ) || get_bloginfo( 'url' ) !== $token->iss ) {
+			// See https://github.com/wp-graphql/wp-graphql-jwt-authentication/issues/111
+			self::set_status(401);
 			return new \WP_Error( 'invalid-jwt', __( 'The iss do not match with this server', 'wp-graphql-jwt-authentication' ) );
 		}
 
 		/**
 		 * So far so good, validate the user id in the token
 		 */
 		if ( ! isset( $token->data->user->id ) ) {
+			// See https://github.com/wp-graphql/wp-graphql-jwt-authentication/issues/111
+			self::set_status(401);
 			return new \WP_Error( 'invalid-jwt', __( 'User ID not found in the token', 'wp-graphql-jwt-authentication' ) );
 		}
 
@@ -602,6 +611,8 @@ public static function validate_token( $token = null, $refresh = false ) {
 		if ( isset( $token->data->user->user_secret ) ) {
 
 			if ( Auth::is_jwt_secret_revoked( $token->data->user->id ) ) {
+				// See https://github.com/wp-graphql/wp-graphql-jwt-authentication/issues/111
+				self::set_status(401);
 				return new \WP_Error( 'invalid-jwt', __( 'The User Secret does not match or has been revoked for this user', 'wp-graphql-jwt-authentication' ) );
 			}
 		}