Update auth.go #180
Update auth.go #180
Conversation
Add Header WWW-Authenticate and removes http.BadRequest error
|
@raphaeljlps Don't you think bad request is still valid? Can we keep it and still make it working? |
|
@vishr I will take a closer look and see if I can make it work with the bad request, unfortunately I won't be able to do this today. |
|
and I will make the tests pass 👍 |
| } | ||
| } | ||
| } | ||
| } | ||
|
|
||
| c.Response().Header().Add("WWW-Authenticate", "Basic") |
There was a problem hiding this comment.
We would like header to be coming from a constant, look at echo.go. Same for "Basic". I see people also using realm, check on that too.
There was a problem hiding this comment.
I will do, thanks for the notes.
|
Okay @vishr I looked around and study the RFC a bit more and don't think we can maintain the BadRequest and make it work with it. I made the changes that you suggest about using the basic constant. |
|
About adding the realm, thats where I have a problem, don't know from where we will get the realm value, do you have any suggestions @vishr ? |
| @@ -12,13 +12,13 @@ type ( | |||
| ) | |||
|
|
|||
| const ( | |||
| Basic = "Basic" | |||
| Basic = "Basic" | |||
| WWWAuthenticate = "WWW-Authenticate" | |||
There was a problem hiding this comment.
This should be moved to echo.go while other header constants.
|
done @vishr |
|
Can you check if this works? |
|
I will take a look @vishr |
|
@vishr I'm getting unauthorized, but the browser is not asking for user/password |
|
@vishr I solved by the changing the location of the WWWAuthenticate header if len(auth) > l+1 && auth[:l] == Basic {
b, err := base64.StdEncoding.DecodeString(auth[l+1:])
if err == nil {
cred := string(b)
for i := 0; i < len(cred); i++ {
if cred[i] == ':' {
// Verify credentials
if fn(cred[:i], cred[i+1:]) {
return nil
}
}
}
}
}
c.Response().Header().Set(echo.WWWAuthenticate, Basic+" realm=Restricted")
return echo.NewHTTPError(http.StatusUnauthorized) |
|
That was it. I have changed in master. You can get the latest. |
|
it's working @vishr, thank you! |
Add Header WWW-Authenticate and removes http.BadRequest error
Hello guys, I was having a issue where when using the BasicAuth middleware, in the first request when the browser doesn't know that the URI is protected by Basic HTTP Auth scheme I was getting a Bad Request error, and the browser wasn't prompting me to put my User and Password.
So I look at the RFC 2617 and made these changes, now the browser knows that he needs to prompt the user asking his User and Password to resubmit the request.