Handle invalid token as well

command/agent/http.go

@@ -301,9 +301,13 @@ func (s *HTTPServer) wrap(handler func(resp http.ResponseWriter, req *http.Reque
 			code := 500
 			if http, ok := err.(HTTPCodedError); ok {
 				code = http.Code()
-			} else if err.Error() == structs.ErrPermissionDenied.Error() {
-				code = 403
+			} else {
+				switch err.Error() {
+				case structs.ErrPermissionDenied.Error(), structs.ErrTokenNotFound.Error():
+					code = 403
+				}
 			}
+
 			resp.WriteHeader(code)
 			resp.Write([]byte(err.Error()))
 			return

command/agent/http_test.go

@@ -236,6 +236,23 @@ func TestPermissionDenied(t *testing.T) {
 	assert.Equal(t, resp.Code, 403)
 }
 
+func TestTokenNotFound(t *testing.T) {
+	s := makeHTTPServer(t, func(c *Config) {
+		c.ACL.Enabled = true
+	})
+	defer s.Shutdown()
+
+	resp := httptest.NewRecorder()
+	handler := func(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
+		return nil, structs.ErrTokenNotFound
+	}
+
+	urlStr := "/v1/job/foo"
+	req, _ := http.NewRequest("GET", urlStr, nil)
+	s.Server.wrap(handler)(resp, req)
+	assert.Equal(t, resp.Code, 403)
+}
+
 func TestParseWait(t *testing.T) {
 	t.Parallel()
 	resp := httptest.NewRecorder()