No WWW-authenticate response header for HTTP PUT API requests

[martinrotter]

IMPORTANT

Read and tick the following checkbox after you have created the issue or place an x inside the brackets ;)

• [x] I have read the CONTRIBUTING.md and followed the provided tips

  Explain the Problem

When someone sends /items/star/multiple request without BASIC auth credentials, HTTP 401 response does not contain WWW-authenticate header.

Steps to Reproduce

Explain what you did to encounter the issue

1. Send API request (for example via CURL).
2. Check HTTP answer.
3. No WWW-authenticate header inside the answer.

This is not standard behavior. Server should always indicate which method of authentication it expects when authentication fails and 401 is returned. This literally breaks some existing libraries - for example Qt Network stack, where you have to explicitly append Authentication header and not to wait for server's answer. All API calls must return WWW-authenticate header when HTTP/401 response is returned.

From standard RFC 1945:

401 Unauthorized

The request requires user authentication. The response must include a WWW-Authenticate header field (Section 10.16) containing.......

System Information

• News app version: 7.2 (do not remember exactly)
• ownCloud version: 8.2
• PHP version: 5.5
• Database and version:
• Browser and version: curl
• Distribution and version: Ubuntu 14.04 (official ownCloud virtual image)

  Contents of owncloud/data/owncloud.log

Nope.

Contents of Browser Error Console

Read http://ggnome.com/wiki/Using_The_Browser_Error_Console if you are unsure what to put here

Nope.

[BernhardPosselt]

@LukasReschke can we fix this in core?

[BernhardPosselt]

Right, solution should be to add this header if an @CORS annotation is found (since we don't have a generic api interface yet)

@martinrotter can you reopen and link this issue in core? Thanks!

[martinrotter]

Okay, I will.

[martinrotter]

https://github.com/owncloud/core/issues/22666