Wrong headers for non-authenticated users

[weierophinney]

Hello If a non-authenticated user sends request to a page that needs authorization, then he will get 403 status (Forbidden). I think this bahavior is incorrect, because he should get 401 status (Unauthorized). It was happened because of this fix https://github.com/zfcampus/zf-mvc-auth/issues/92 Here is this fix:

if (! $request->getHeader('Authorization', false)) {
    // No credentials were present at all, so we just return a guest identity.
    return new Identity\GuestIdentity();
}

I think that this fix is incorrect. I think we should check the authentication only if this method requires the authorization and we shouldn't check the Authorization header here.

---

Originally posted by @Redigast13 at https://github.com/zfcampus/zf-apigility-skeleton/issues/111

[weierophinney]

I believe you are right, and this is a duplicate of https://github.com/zfcampus/zf-mvc-auth/issues/97

---

Originally posted by @PowerKiKi at https://github.com/zfcampus/zf-apigility-skeleton/issues/111#issuecomment-142209289

[weierophinney]

You're right. My fix is even worse. It prevent challenge of client when needed...

...
'zf-mvc-auth' => [
    'authentication' => 

        'adapters' => [
            'http' => [
                // HTTP auth adapter configuration
            ],
            'whatever' => [
                // Whatever auth adapter configuration
            ],
        ],

        'map' => [
            'API/VERSION1' => 'basic',
            'API/VERSION2 => 'whatevertype'
        ]
    ]
]
...

Now, let imagine the following scenario: A client request the following URI /host.tld/API/VERSION1 (here, the matching authentication type is basic). No Authorization header is sent by the client.

Then, the following will occurs in the default authentication listener:

• getTypeFromRequest() will not be called (we have already an authentication type which is basic)
• pre-flight auth tasks will not be called on auth adapter. In that case, this involve that the client will not - be challenged (no 401 status code, nor WWW-Authenticate header)
• authenticate() method on the MVC authentication adapter will be called (That adapter matches the 'basic' authentication type type)

At this point, if the mvc http adapter don't find the Authorization header, it will simply return a GuestIdentity. So, later on, the authorization listener will simply set a 403 status code if GuestIdentity is not allowed to access the resource.

I'll investigate and try to provide a patch.

---

Originally posted by @nuxwin at https://github.com/zfcampus/zf-apigility-skeleton/issues/111#issuecomment-166561005