Conform auth check to rfc2616 (#1607)

According to rfc2616[1], the response from a server to a request with bad credentials should be a 401 instead of a 403. Grin does not have the concept of identities so it does not actually recognize a user request with bad credentials. [1] https://tools.ietf.org/html/rfc2616#section-10.4.2
2025-01-21 03:21:08 +03:00 · 2018-09-29 09:28:25 +02:00 · 2018-09-29 09:28:25 +02:00 · 9e6ef6f237
commit 9e6ef6f237
parent 2cad812b29
1 changed files with 4 additions and 15 deletions
--- a/api/src/auth.rs
+++ b/api/src/auth.rs
@ -38,13 +38,10 @@ impl Handler for BasicAuthMiddleware {
 		req: Request<Body>,
 		mut handlers: Box<Iterator<Item = HandlerObj>>,
 	) -> ResponseFuture {
-		if req.headers().contains_key(AUTHORIZATION) {
-			if req.headers()[AUTHORIZATION] == self.api_basic_auth {
-				handlers.next().unwrap().call(req, handlers)
-			} else {
-				// Forbidden 403
-				forbidden_response()
-			}
+		if req.headers().contains_key(AUTHORIZATION)
+			&& req.headers()[AUTHORIZATION] == self.api_basic_auth
+		{
+			handlers.next().unwrap().call(req, handlers)
 		} else {
 			// Unauthorized 401
 			unauthorized_response(&self.basic_realm)
@ -62,11 +59,3 @@ fn unauthorized_response(basic_realm: &str) -> ResponseFuture {
 		.unwrap();
 	Box::new(ok(response))
 }
-
-fn forbidden_response() -> ResponseFuture {
-	let response = Response::builder()
-		.status(StatusCode::FORBIDDEN)
-		.body(Body::empty())
-		.unwrap();
-	Box::new(ok(response))
-}