search

coupergateway / couper

Couper is a lightweight API gateway designed to support developers in building and operating API-driven Web projects
https://couper.io
MIT License
85 stars 15 forks source link

Basic Auth: WWW-Authenticate `realm` param value must be quoted string #714

Closed johakoch closed 1 year ago

johakoch commented 1 year ago

https://datatracker.ietf.org/doc/html/rfc2617#section-1.2:

  realm       = "realm" "=" realm-value
  realm-value = quoted-string

https://datatracker.ietf.org/doc/html/rfc7235#section-2.2:

For historical reasons, a sender MUST only generate the quoted-string syntax.

However, Couper doesn't send the realm in quotes:

  basic_auth "ba" {
    password = "asdf"
    realm = "my realm"
  }
$ curl -si localhost:8080/
HTTP/1.1 401 Unauthorized
...
Www-Authenticate: Basic realm=my realm

config/ac_basic_auth.go:

func (b *BasicAuth) DefaultErrorHandler() *ErrorHandler {
    wwwAuthenticateValue := "Basic"
    if b.Realm != "" {
        wwwAuthenticateValue += " realm=" + b.Realm
    }