Gleipnir/nidus-sync
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Don't send www-authenticate to well-behaved browsers

Browse source 
Had to make a special case for EventSource on the browser via the
accepts header. This prevents the browser from doing a login window so
we can show them the nice login page.
This commit is contained in:
Eli Ribble 2026-04-16 16:01:45 +00:00
parent 7b95cfe833
commit 08a1b5b81d
No known key found for this signature in database
1 changed files with 22 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

41
auth/auth.go
View file

@ -103,31 +103,34 @@ func NewEnsureAuth(handlerToWrap AuthenticatedHandler) *EnsureAuth {
func (ea *EnsureAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// If this is an API request respond with a more machine-readable error state
accept := r.Header.Values("Accept")
offers := []string{"application/json", "text/html"}
accept := r.Header.Get("Accept")
/*
offers := []string{"application/json", "text/html"}
content_type := NegotiateContent(accept, offers)
content_type := NegotiateContent(accept, offers)
*/
user, err := GetAuthenticatedUser(r)
if err != nil || user == nil {
var msg []byte
// Separate return codes for different authentication failures
if _, ok := err.(*NoCredentialsError); ok {
log.Info().Msg("No credentials present and no session")
w.Header().Set("WWW-Authenticate-Error", "no-credentials")
msg = []byte("Please provide credentials.\n")
} else if _, ok := err.(*platform.NoUserError); ok {
w.Header().Set("WWW-Authenticate-Error", "invalid-credentials")
msg = []byte("Invalid credentials provided.\n")
} else if _, ok := err.(*InvalidCredentials); ok {
w.Header().Set("WWW-Authenticate-Error", "invalid-credentials")
msg = []byte("Invalid credentials provided.\n")
// Don't send authentication headers for browsers because it forces the authentication popup
requested_with := r.Header.Get("X-Requested-With")
//log.Debug().Str("x-requested-with", requested_with).Send()
if !(strings.HasPrefix(requested_with, "nidus-web") || accept == "text/event-stream") {
w.Header().Set("WWW-Authenticate", `Basic realm="Nidus Sync"`)
// Separate return codes for different authentication failures
if _, ok := err.(*NoCredentialsError); ok {
log.Info().Msg("No credentials present and no session")
w.Header().Set("WWW-Authenticate-Error", "no-credentials")
msg = []byte("Please provide credentials.\n")
} else if _, ok := err.(*platform.NoUserError); ok {
w.Header().Set("WWW-Authenticate-Error", "invalid-credentials")
msg = []byte("Invalid credentials provided.\n")
} else if _, ok := err.(*InvalidCredentials); ok {
w.Header().Set("WWW-Authenticate-Error", "invalid-credentials")
msg = []byte("Invalid credentials provided.\n")
}
}
if content_type == "text/html" {
http.Redirect(w, r, "/signin?next="+r.URL.Path, http.StatusSeeOther)
return
}
w.Header().Set("WWW-Authenticate", `Basic realm="Nidus Sync"`)
w.WriteHeader(401)
w.Write(msg)
return