Actually Piston let us return rc.FORBIDDEN that is a wrapper for a HTTP 401 request. Here are my thoughts:
According to http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html, a 401 code is for Unauthorized and basically means that the user failed in providing authentication (i.e. bad or missing login/password)
A 403 is HTTP Forbidden, that is for representing a case in which a resource exists but can not be accessed after user provided credentials because of permissions.
Therefore, I would suggest to:
- change rc.FORBIDDEN to return a 403 HTTP status code
- add a new rc.UNAUTHORIZED and make it return a 401 HTTP status code