What should `onAuthorizer` return when authorization is denied?

[micahcantor]

I can't find a clear answer to this question in the documentation. In the Pusher authorization docs it says:

Unsuccessful responses from an authorization endpoint should serve a 403 Forbidden HTTP status.

Moreover, return type of onAuthorizer is Promise<PusherAuthorizerResult> which is defined as

export interface PusherAuthorizerResult {
  auth?: string;
  shared_secret?: string;
  channel_data?: string;
}

Together this makes me think that onAuthorizer should return {} when the server responds with HTTP 403. But if I do that, then I get the following error: Client error | Invalid key in subscription auth data: '<missing_auth_param>' since the auth field is missing.

If I instead look at the usage of onAuthorizer in the Pusher class, I see this in Pusher#init:

this.addListener(
  PusherEventName.ON_AUTHORIZER,
  async ({ channelName, socketId }) => {
    const data = await args.onAuthorizer?.(channelName, socketId);
    if (data) {
      await PusherWebsocketReactNative.onAuthorizer(
        channelName,
        socketId,
        data
      );
    }
  }
);

Here we check if the result of onAuthorizer is truthy before calling the native method. So from this I think that onAuthorizer should return a falsey value if authorization fails. But that (1) wouldn't typecheck and (2) if I return undefined then I instead get Client Error | Invalid key in subscription auth data: '<authorizer_timeout>'

So I'm at a bit of a loss as to how to implement this correctly. Should I just be handling the client errors with the onError method? Any pointers here, am I overlooking something?