From 9e6ef6f237830046f2d60613cb10a20120ded1da Mon Sep 17 00:00:00 2001
From: Michalis Kargakis <mkargaki@redhat.com>
Date: Sat, 29 Sep 2018 09:28:25 +0200
Subject: [PATCH] Conform auth check to rfc2616 (#1607)

According to rfc2616[1], the response from a server to a request with
bad credentials should be a 401 instead of a 403. Grin does not have
the concept of identities so it does not actually recognize a user
request with bad credentials.

[1] https://tools.ietf.org/html/rfc2616#section-10.4.2
---
 api/src/auth.rs | 19 ++++---------------
 1 file changed, 4 insertions(+), 15 deletions(-)

diff --git a/api/src/auth.rs b/api/src/auth.rs
index 3531ddd9a..2e2cfb336 100644
--- a/api/src/auth.rs
+++ b/api/src/auth.rs
@@ -38,13 +38,10 @@ impl Handler for BasicAuthMiddleware {
 		req: Request<Body>,
 		mut handlers: Box<Iterator<Item = HandlerObj>>,
 	) -> ResponseFuture {
-		if req.headers().contains_key(AUTHORIZATION) {
-			if req.headers()[AUTHORIZATION] == self.api_basic_auth {
-				handlers.next().unwrap().call(req, handlers)
-			} else {
-				// Forbidden 403
-				forbidden_response()
-			}
+		if req.headers().contains_key(AUTHORIZATION)
+			&& req.headers()[AUTHORIZATION] == self.api_basic_auth
+		{
+			handlers.next().unwrap().call(req, handlers)
 		} else {
 			// Unauthorized 401
 			unauthorized_response(&self.basic_realm)
@@ -62,11 +59,3 @@ fn unauthorized_response(basic_realm: &str) -> ResponseFuture {
 		.unwrap();
 	Box::new(ok(response))
 }
-
-fn forbidden_response() -> ResponseFuture {
-	let response = Response::builder()
-		.status(StatusCode::FORBIDDEN)
-		.body(Body::empty())
-		.unwrap();
-	Box::new(ok(response))
-}