fix: use 403 for authorization errors

401 is called "unauthorized" but this is a bug in the HTTP spec - see https://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses

403 should be used if a user is correctly authenticated but does not have sufficient permission to perform an action

server/src/routes/v1/apps/handlers/createAppVersion.js

@@ -73,7 +73,7 @@ module.exports = {
             isManager || userApps.map(app => app.app_id).indexOf(appId) !== -1
 
         if (!userCanEditApp) {
-            throw Boom.unauthorized()
+            throw Boom.forbidden()
         }
 
         const versionPayload = request.payload.version