Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wrong headers for non-authenticated users #16

Open
weierophinney opened this issue Dec 31, 2019 · 2 comments
Open

Wrong headers for non-authenticated users #16

weierophinney opened this issue Dec 31, 2019 · 2 comments

Comments

@weierophinney
Copy link
Contributor

Hello
If a non-authenticated user sends request to a page that needs authorization, then he will get 403 status (Forbidden). I think this bahavior is incorrect, because he should get 401 status (Unauthorized).
It was happened because of this fix zfcampus/zf-mvc-auth#92
Here is this fix:

if (! $request->getHeader('Authorization', false)) {
    // No credentials were present at all, so we just return a guest identity.
    return new Identity\GuestIdentity();
}

I think that this fix is incorrect. I think we should check the authentication only if this method requires the authorization and we shouldn't check the Authorization header here.


Originally posted by @Redigast13 at zfcampus/zf-apigility-skeleton#111

@weierophinney
Copy link
Contributor Author

I believe you are right, and this is a duplicate of zfcampus/zf-mvc-auth#97


Originally posted by @PowerKiKi at zfcampus/zf-apigility-skeleton#111 (comment)

@weierophinney
Copy link
Contributor Author

You're right. My fix is even worse. It prevent challenge of client when needed...

...
'zf-mvc-auth' => [
    'authentication' => 

        'adapters' => [
            'http' => [
                // HTTP auth adapter configuration
            ],
            'whatever' => [
                // Whatever auth adapter configuration
            ],
        ],

        'map' => [
            'API/VERSION1' => 'basic',
            'API/VERSION2 => 'whatevertype'
        ]
    ]
]
...

Now, let imagine the following scenario: A client request the following URI /host.tld/API/VERSION1 (here, the matching authentication type is basic). No Authorization header is sent by the client.

Then, the following will occurs in the default authentication listener:

  • getTypeFromRequest() will not be called (we have already an authentication type which is basic)
  • pre-flight auth tasks will not be called on auth adapter. In that case, this involve that the client will not - be challenged (no 401 status code, nor WWW-Authenticate header)
  • authenticate() method on the MVC authentication adapter will be called (That adapter matches the 'basic' authentication type type)

At this point, if the mvc http adapter don't find the Authorization header, it will simply return a GuestIdentity. So, later on, the authorization listener will simply set a 403 status code if GuestIdentity is not allowed to access the resource.

I'll investigate and try to provide a patch.


Originally posted by @nuxwin at zfcampus/zf-apigility-skeleton#111 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant