Skip to content

Commit

Permalink
fix logic of when to add the www-authenticate headers
Browse files Browse the repository at this point in the history
  • Loading branch information
David Christofas committed Aug 11, 2022
1 parent 1f5cb89 commit 558fe42
Showing 1 changed file with 23 additions and 1 deletion.
24 changes: 23 additions & 1 deletion services/proxy/pkg/middleware/authentication.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,24 @@ func Authentication(auths []Authenticator, opts ...Option) func(next http.Handle
}
}
if !isPublicPath(r.URL.Path) {
writeSupportedAuthenticateHeader(w, r)
if isBasicAuth(options.EnableBasicAuth, r) {
// Failed basic authentication attempts receive the Www-Authenticate header in the response
var touch bool
for k, v := range options.CredentialsByUserAgent {
if strings.Contains(k, r.UserAgent()) {
removeSuperfluousAuthenticate(w)
w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", strings.Title(v), r.Host))
touch = true
break
}
}

// if the request is not bound to any user agent, write all available challenges
if !touch {
writeSupportedAuthenticateHeader(w, r)
}
}

for _, s := range SupportedAuthStrategies {
userAgentAuthenticateLockIn(w, r, options.CredentialsByUserAgent, s)
}
Expand Down Expand Up @@ -128,6 +145,11 @@ func isUnprotectedPath(r *http.Request) bool {
return false
}

func isBasicAuth(isBasicAuthEnabled bool, r *http.Request) bool {
_, _, ok := r.BasicAuth()
return isBasicAuthEnabled && ok
}

func isPublicPath(p string) bool {
for _, pp := range _publicPaths {
if strings.HasPrefix(p, pp) {
Expand Down

0 comments on commit 558fe42

Please sign in to comment.