Closed
Description
Issue Description
When using KeyAuth middleware without Authorization header, "400 Bad Request" is returned.
However, according to RFC6750 I think the appropriate response code is "401 Unauthorized".
If the request lacks any authentication information (e.g., the client
was unaware that authentication is necessary or attempted using an
unsupported authentication method), the resource server SHOULD NOT
include an error code or other error information.For example:
HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer realm="example"
Related implementation:
Checklist
- Dependencies installed
- No typos
- Searched existing issues and docs
Expected behaviour
Return status code 401 Unauthorized
Actual behaviour
Return status code 400 Bad Request
Steps to reproduce
package main
import (
"net/http"
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware"
)
func main() {
e := echo.New()
e.Use(middleware.KeyAuth(func(key string, c echo.Context) (bool, error) {
return key == "valid-key", nil
}))
e.GET("/", func(c echo.Context) error {
return c.String(http.StatusOK, "Hello, World!")
})
e.Logger.Fatal(e.Start(":8080"))
}
With auth key (Expected)
$ curl -i -H 'Authorization: Bearer valid-key' http://localhost:8080/
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Thu, 19 Sep 2019 13:39:54 GMT
Content-Length: 13
Hello, World!Without Authorization header
$ curl -i http://localhost:8080/
HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=UTF-8
Date: Thu, 19 Sep 2019 13:39:36 GMT
Content-Length: 44
{"message":"missing key in request header"}Why does this return 400 Bad Request instead of 401 Unauthorized?
Version/commit
v4.1.10