From 558fe42ef1aa127145701e9178f961af7220fc3f Mon Sep 17 00:00:00 2001 From: David Christofas Date: Thu, 11 Aug 2022 12:28:02 +0200 Subject: [PATCH] fix logic of when to add the www-authenticate headers --- .../proxy/pkg/middleware/authentication.go | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/services/proxy/pkg/middleware/authentication.go b/services/proxy/pkg/middleware/authentication.go index 728a85a0a48..62fb740a701 100644 --- a/services/proxy/pkg/middleware/authentication.go +++ b/services/proxy/pkg/middleware/authentication.go @@ -89,7 +89,24 @@ func Authentication(auths []Authenticator, opts ...Option) func(next http.Handle } } if !isPublicPath(r.URL.Path) { - writeSupportedAuthenticateHeader(w, r) + if isBasicAuth(options.EnableBasicAuth, r) { + // Failed basic authentication attempts receive the Www-Authenticate header in the response + var touch bool + for k, v := range options.CredentialsByUserAgent { + if strings.Contains(k, r.UserAgent()) { + removeSuperfluousAuthenticate(w) + w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", strings.Title(v), r.Host)) + touch = true + break + } + } + + // if the request is not bound to any user agent, write all available challenges + if !touch { + writeSupportedAuthenticateHeader(w, r) + } + } + for _, s := range SupportedAuthStrategies { userAgentAuthenticateLockIn(w, r, options.CredentialsByUserAgent, s) } @@ -128,6 +145,11 @@ func isUnprotectedPath(r *http.Request) bool { return false } +func isBasicAuth(isBasicAuthEnabled bool, r *http.Request) bool { + _, _, ok := r.BasicAuth() + return isBasicAuthEnabled && ok +} + func isPublicPath(p string) bool { for _, pp := range _publicPaths { if strings.HasPrefix(p, pp) {