fix: basic auth response header WWW-Authenticate if all roles failed

qdm12 · Sep 11, 2024 · e18147c · e18147c
1 parent 3b24744
commit e18147c
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 5 deletions.
diff --git a/internal/server/middlewares/auth/apikey.go b/internal/server/middlewares/auth/apikey.go
@@ -25,7 +25,7 @@ func (a *apiKeyMethod) equal(other authorizationChecker) bool {
 	return a.apiKey == otherTokenMethod.apiKey
 }
 
-func (a *apiKeyMethod) isAuthorized(request *http.Request) bool {
+func (a *apiKeyMethod) isAuthorized(_ http.Header, request *http.Request) bool {
 	xAPIKey := request.Header.Get("X-API-Key")
 	if xAPIKey == "" {
 		xAPIKey = request.URL.Query().Get("api_key")

diff --git a/internal/server/middlewares/auth/basic.go b/internal/server/middlewares/auth/basic.go
@@ -26,9 +26,10 @@ func (a *basicAuthMethod) equal(other authorizationChecker) bool {
 	return a.authDigest == otherBasicMethod.authDigest
 }
 
-func (a *basicAuthMethod) isAuthorized(request *http.Request) bool {
+func (a *basicAuthMethod) isAuthorized(headers http.Header, request *http.Request) bool {
 	username, password, ok := request.BasicAuth()
 	if !ok {
+		headers.Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`)
 		return false
 	}
 	requestAuthDigest := sha256.Sum256([]byte(username + password))

diff --git a/internal/server/middlewares/auth/interfaces_local.go b/internal/server/middlewares/auth/interfaces_local.go
@@ -4,5 +4,5 @@ import "net/http"
 
 type authorizationChecker interface {
 	equal(other authorizationChecker) bool
-	isAuthorized(request *http.Request) bool
+	isAuthorized(headers http.Header, request *http.Request) bool
 }
diff --git a/internal/server/middlewares/auth/middleware.go b/internal/server/middlewares/auth/middleware.go
@@ -58,8 +58,9 @@ func (h *authHandler) ServeHTTP(writer http.ResponseWriter, request *http.Reques
 		return
 	}
 
+	responseHeader := make(http.Header, 0)
 	for _, role := range roles {
-		if !role.checker.isAuthorized(request) {
+		if !role.checker.isAuthorized(responseHeader, request) {
 			continue
 		}
 
@@ -70,6 +71,13 @@ func (h *authHandler) ServeHTTP(writer http.ResponseWriter, request *http.Reques
 		return
 	}
 
+	// Flush out response headers if all roles failed to authenticate
+	for headerKey, headerValues := range responseHeader {
+		for _, headerValue := range headerValues {
+			writer.Header().Add(headerKey, headerValue)
+		}
+	}
+
 	allRoleNames := make([]string, len(roles))
 	for i, role := range roles {
 		allRoleNames[i] = role.name

diff --git a/internal/server/middlewares/auth/none.go b/internal/server/middlewares/auth/none.go
@@ -15,6 +15,6 @@ func (n *noneMethod) equal(other authorizationChecker) bool {
 	return ok
 }
 
-func (n *noneMethod) isAuthorized(_ *http.Request) bool {
+func (n *noneMethod) isAuthorized(_ http.Header, _ *http.Request) bool {
 	return true
 }