[BUG] Error codes

[Bibo-Joshi]

python-telegram-bot/telegram/utils/request.py

Lines 268 to 280 in ff3fd34

	if resp.status in (401, 403):
	raise Unauthorized(message)
	elif resp.status == 400:
	raise BadRequest(message)
	elif resp.status == 404:
	raise InvalidToken()
	elif resp.status == 409:
	raise Conflict(message)
	elif resp.status == 413:
	raise NetworkError(
	'File too large. Check telegram api limits '
	'https://core.telegram.org/bots/api#senddocument'
	)

We currently raise InvalidToken for 404, though 404 seems to be raised when requesting non-existing methods.
Unauthorized (=401) is the acutal InvalidToken and 403 gives Forbidden. So

• 401 -> Unauthorized
• 403 -> Forbidden
• drop InvalidToken/only use it in Bot._validate_token

I do think we should update that. However those are pretty much breaking changes, so probably only in the next major release …

[stdz56]

I think that the current behavior is the right behavior.

To raise InvalidToken you have to:

• pass an empty string as token
• pass a token without digits
• pass a token without letters

If you actually pass a token Digits:Letters, it doesn’t raise InvalidToken as it’s a correct token from this view.

Unauthorized is indeed the more appropriate for that case: https://api.telegram.org/bot1234567:ABCDEFGHI/getUpdates as the token is not invalid but you can’t use it anyway.

Even thought, users are more used to see Unauthorized related to trying to send messages to users that haven’t started the bot and it could indeed mislead.

[Bibo-Joshi]

I'm not sure if I fully understand what you'r saying. I'll try to summarize the behavior:

• correctly formatted token, but a non-existend method → "404 not found"
• correctly formatted token that is invalid → "401 Unauthorized"
• valid token but not enough rights → "403 Forbidden"
• malformed token → "404 not found"

We can rule out calling of non-existend methods, because we don't expose manual api calls to the user. That leaves is with 404 only happening for malformed tokens.

So we could

• raise InvalidToken for 404 and 401 (imho that's a more descriptive name than "Unauthorized")
• make 403 raise Forbidden
• keep Unauthorized as synonym for Forbidden for backwards compatibility with 403. It's unlikely that someone keeps a process running with correctly formatted but invalid token, so not keeping backwards compatibility with Unauthorized being raised for 401 is justifiable IMHO, especially if we do this in a major release

[SanthoshS20]

@Bibo-Joshi Can i contribute to this issue?

[Poolitzer]

it is in a later stage right now. I think this is because handling the API calls will drastically change once we implement this via async, so it doesn't make sense to change it for the threaded way we have right now. Since we arent at the stage yet where we switch to asyncio, it will also take a while since this issue is tackable.