(mvc) fix http status codes, closes https://github.com/opnsense/core/issues/1358

src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php

@@ -171,6 +171,7 @@ class ApiControllerBase extends ControllerRoot
             // handle UI ajax requests
             // use session data and ACL to validate request.
             if (!$this->doAuth()) {
+                $this->response->setStatusCode(401, "Unauthorized");
                 return false;
             }
 
@@ -185,6 +186,7 @@ class ApiControllerBase extends ControllerRoot
             ) {
                 // missing csrf, exit.
                 $this->getLogger()->error("no matching csrf found for request");
+                $this->response->setStatusCode(403, "Forbidden");
                 return false;
             }
         }

src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php

@@ -179,6 +179,7 @@ class ControllerBase extends ControllerRoot
             // check for valid csrf on post requests
             if ($this->request->isPost() && !$this->security->checkToken()) {
                 // post without csrf, exit.
+                $this->response->setStatusCode(403, "Forbidden");
                 return false;
             }