Merge pull request #192 from labstack/issue-180

vishr · vishr · commit e0a40f864c60 · 2015-09-01T11:32:12.000-07:00
Closes #180
diff --git a/echo.go b/echo.go
@@ -134,6 +134,7 @@ const (
 	Location           = "Location"
 	Upgrade            = "Upgrade"
 	Vary               = "Vary"
+	WWWAuthenticate = "WWW-Authenticate"
 
 	//-----------
 	// Protocols
diff --git a/middleware/auth.go b/middleware/auth.go
@@ -18,7 +18,6 @@ const (
 // BasicAuth returns an HTTP basic authentication middleware.
 //
 // For valid credentials it calls the next handler.
-// For invalid Authorization header it sends "404 - Bad Request" response.
 // For invalid credentials, it sends "401 - Unauthorized" response.
 func BasicAuth(fn BasicValidateFunc) echo.HandlerFunc {
 	return func(c *echo.Context) error {
@@ -29,7 +28,6 @@ func BasicAuth(fn BasicValidateFunc) echo.HandlerFunc {
 
 		auth := c.Request().Header.Get(echo.Authorization)
 		l := len(Basic)
-		he := echo.NewHTTPError(http.StatusBadRequest)
 
 		if len(auth) > l+1 && auth[:l] == Basic {
 			b, err := base64.StdEncoding.DecodeString(auth[l+1:])
@@ -41,11 +39,11 @@ func BasicAuth(fn BasicValidateFunc) echo.HandlerFunc {
 						if fn(cred[:i], cred[i+1:]) {
 							return nil
 						}
-						he.SetCode(http.StatusUnauthorized)
+						c.Response().Header().Set(echo.WWWAuthenticate, Basic + " realm=Restricted")
 					}
 				}
 			}
 		}
-		return he
+		return echo.NewHTTPError(http.StatusUnauthorized)
 	}
 }
diff --git a/middleware/auth_test.go b/middleware/auth_test.go
@@ -36,17 +36,20 @@ func TestBasicAuth(t *testing.T) {
 	req.Header.Set(echo.Authorization, auth)
 	he := ba(c).(*echo.HTTPError)
 	assert.Equal(t, http.StatusUnauthorized, he.Code())
+	assert.Equal(t, Basic + " realm=Restricted", rec.Header().Get(echo.WWWAuthenticate))
 
 	// Empty Authorization header
 	req.Header.Set(echo.Authorization, "")
 	he = ba(c).(*echo.HTTPError)
-	assert.Equal(t, http.StatusBadRequest, he.Code())
+	assert.Equal(t, http.StatusUnauthorized, he.Code())
+	assert.Equal(t, Basic + " realm=Restricted", rec.Header().Get(echo.WWWAuthenticate))
 
 	// Invalid Authorization header
 	auth = base64.StdEncoding.EncodeToString([]byte("invalid"))
 	req.Header.Set(echo.Authorization, auth)
 	he = ba(c).(*echo.HTTPError)
-	assert.Equal(t, http.StatusBadRequest, he.Code())
+	assert.Equal(t, http.StatusUnauthorized, he.Code())
+	assert.Equal(t, Basic + " realm=Restricted", rec.Header().Get(echo.WWWAuthenticate))
 
 	// WebSocket
 	c.Request().Header.Set(echo.Upgrade, echo.WebSocket)

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,6 @@ const (`
`18`	`18`	`// BasicAuth returns an HTTP basic authentication middleware.`
`19`	`19`	`//`
`20`	`20`	`// For valid credentials it calls the next handler.`
`21`		`-// For invalid Authorization header it sends "404 - Bad Request" response.`
`22`	`21`	`// For invalid credentials, it sends "401 - Unauthorized" response.`
`23`	`22`	`func BasicAuth(fn BasicValidateFunc) echo.HandlerFunc {`
`24`	`23`	`return func(c *echo.Context) error {`
`@@ -29,7 +28,6 @@ func BasicAuth(fn BasicValidateFunc) echo.HandlerFunc {`
`29`	`28`
`30`	`29`	`auth := c.Request().Header.Get(echo.Authorization)`
`31`	`30`	`l := len(Basic)`
`32`		`- he := echo.NewHTTPError(http.StatusBadRequest)`
`33`	`31`
`34`	`32`	`if len(auth) > l+1 && auth[:l] == Basic {`
`35`	`33`	`b, err := base64.StdEncoding.DecodeString(auth[l+1:])`
`@@ -41,11 +39,11 @@ func BasicAuth(fn BasicValidateFunc) echo.HandlerFunc {`
`41`	`39`	`if fn(cred[:i], cred[i+1:]) {`
`42`	`40`	`return nil`
`43`	`41`	`}`
`44`		`- he.SetCode(http.StatusUnauthorized)`
	`42`	`+ c.Response().Header().Set(echo.WWWAuthenticate, Basic + " realm=Restricted")`
`45`	`43`	`}`
`46`	`44`	`}`
`47`	`45`	`}`
`48`	`46`	`}`
`49`		`- return he`
	`47`	`+ return echo.NewHTTPError(http.StatusUnauthorized)`
`50`	`48`	`}`
`51`	`49`	`}`