When Basic authentication fails, the `WWW-Authenticate` header is not returned

shaj13 / go-guardian

Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.

MIT License

559 stars 56 forks source link

When Basic authentication fails, the `WWW-Authenticate` header is not returned #33

Closed gczobel-f5 closed 4 years ago

gczobel-f5 commented 4 years ago

Based on https://tools.ietf.org/html/rfc7235#section-4.1, when 401 is returned the WWW-Authenticate header must be in the response.

https://tools.ietf.org/html/rfc7235#section-3.1 "containing at least one challenge applicable to the target resource"

shaj13 commented 4 years ago

@gczobel-f5 FYI, The library does not respond to the end-user and must set behind the scene as an authentication daemon since its not mount any route/routers.

There a plan to expose a function under auth pkg to set the appropriate HTTP header based on passed args in the next release. right now library only sets WWW-Authenticate for digest strategy and it must be invoked by your application code.

keep this open for tracking the progress.