Skip to content
This repository has been archived by the owner on Jan 21, 2020. It is now read-only.

Wrong headers for non-authenticated users #111

Open
Redigast13 opened this issue Aug 16, 2015 · 3 comments
Open

Wrong headers for non-authenticated users #111

Redigast13 opened this issue Aug 16, 2015 · 3 comments

Comments

@Redigast13
Copy link

Hello
If a non-authenticated user sends request to a page that needs authorization, then he will get 403 status (Forbidden). I think this bahavior is incorrect, because he should get 401 status (Unauthorized).
It was happened because of this fix zfcampus/zf-mvc-auth#92
Here is this fix:

if (! $request->getHeader('Authorization', false)) {
    // No credentials were present at all, so we just return a guest identity.
    return new Identity\GuestIdentity();
}

I think that this fix is incorrect. I think we should check the authentication only if this method requires the authorization and we shouldn't check the Authorization header here.
@PowerKiKi
Copy link

I believe you are right, and this is a duplicate of zfcampus/zf-mvc-auth#97

@PowerKiKi PowerKiKi mentioned this issue Sep 22, 2015
Open
@nuxwin
Copy link

nuxwin commented Dec 22, 2015

You're right. My fix is even worse. It prevent challenge of client when needed...

...
'zf-mvc-auth' => [
    'authentication' => 

        'adapters' => [
            'http' => [
                // HTTP auth adapter configuration
            ],
            'whatever' => [
                // Whatever auth adapter configuration
            ],
        ],

        'map' => [
            'API/VERSION1' => 'basic',
            'API/VERSION2 => 'whatevertype'
        ]
    ]
]
...

Now, let imagine the following scenario: A client request the following URI /host.tld/API/VERSION1 (here, the matching authentication type is basic). No Authorization header is sent by the client.

Then, the following will occurs in the default authentication listener:

  • getTypeFromRequest() will not be called (we have already an authentication type which is basic)
  • pre-flight auth tasks will not be called on auth adapter. In that case, this involve that the client will not - be challenged (no 401 status code, nor WWW-Authenticate header)
  • authenticate() method on the MVC authentication adapter will be called (That adapter matches the 'basic' authentication type type)

At this point, if the mvc http adapter don't find the Authorization header, it will simply return a GuestIdentity. So, later on, the authorization listener will simply set a 403 status code if GuestIdentity is not allowed to access the resource.

I'll investigate and try to provide a patch.

This was referenced Dec 31, 2019
Open
Open
@weierophinney
Copy link
Member

This repository has been closed and moved to laminas-api-tools/api-tools-skeleton; a new issue has been opened at laminas-api-tools/api-tools-skeleton#16.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@weierophinney @PowerKiKi @nuxwin @Redigast13