From 5d45f0e856201f6cb3afbe6d8a6477b05b10f523 Mon Sep 17 00:00:00 2001 From: David Christofas Date: Thu, 11 Aug 2022 12:28:02 +0200 Subject: [PATCH] fix logic of when to add the www-authenticate headers --- .../proxy/pkg/middleware/authentication.go | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/services/proxy/pkg/middleware/authentication.go b/services/proxy/pkg/middleware/authentication.go index 728a85a0a4..07d5568f7f 100644 --- a/services/proxy/pkg/middleware/authentication.go +++ b/services/proxy/pkg/middleware/authentication.go @@ -89,10 +89,31 @@ func Authentication(auths []Authenticator, opts ...Option) func(next http.Handle } } if !isPublicPath(r.URL.Path) { - writeSupportedAuthenticateHeader(w, r) - for _, s := range SupportedAuthStrategies { - userAgentAuthenticateLockIn(w, r, options.CredentialsByUserAgent, s) + // Failed basic authentication attempts receive the Www-Authenticate header in the response + var touch bool + for k, v := range options.CredentialsByUserAgent { + if strings.Contains(k, r.UserAgent()) { + removeSuperfluousAuthenticate(w) + w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", strings.Title(v), r.Host)) + touch = true + break + } } + + // if the request is not bound to any user agent, write all available challenges + if !touch && + // This is a temporary hack... Before the authentication middleware rewrite all + // unauthenticated requests were still handled. The reva http services then did add + // the supported authentication headers to the response. Since we are not allowing the + // requests to continue so far we have to do it here. But we shouldn't do it for the graph service. + // That's the reason for this hard check here. + !strings.HasPrefix(r.URL.Path, "/graph") { + writeSupportedAuthenticateHeader(w, r) + } + } + + for _, s := range SupportedAuthStrategies { + userAgentAuthenticateLockIn(w, r, options.CredentialsByUserAgent, s) } w.WriteHeader(http.StatusUnauthorized) // if the request is a PROPFIND return a WebDAV error code.