Unauthenticated REST responses contain an invalid WWW-Authenticate header. This is a problem for HTTP clients that implement the general HTTP authentication framework. In my case, Dart's HttpClient chokes on the invalid header value and throws an exception instead of continuing to process the response.
Steps to Reproduce
Start a nakama instance
Make an unauthenticated request against the REST API: curl -v -X POST localhost:7350/v2/session/logout
Expected Result
The response should either contain no WWW-Authenticate header, or one that adheres to the specification, e.g. Basic realm=<realm>.
Actual Result
curl -v -X POST localhost:7350/v2/session/logout
* Host localhost:7350 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:7350...
* Connected to localhost (::1) port 7350
> POST /v2/session/logout HTTP/1.1
> Host: localhost:7350
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 401 Unauthorized
< Cache-Control: no-store, no-cache, must-revalidate
< Content-Type: application/json
< Vary: Accept-Encoding
< Www-Authenticate: Auth token required
< Date: Wed, 14 Aug 2024 16:26:10 GMT
< Content-Length: 44
<
* Connection #0 to host localhost left intact
{"code":16, "message":"Auth token required"}%
linear[bot]
commented
1 month ago
Description
Unauthenticated REST responses contain an invalid
WWW-Authenticateheader. This is a problem for HTTP clients that implement the general HTTP authentication framework. In my case, Dart'sHttpClientchokes on the invalid header value and throws an exception instead of continuing to process the response.Steps to Reproduce
curl -v -X POST localhost:7350/v2/session/logoutExpected Result
The response should either contain no
WWW-Authenticateheader, or one that adheres to the specification, e.g.Basic realm=<realm>.Actual Result
Your Environment