diff --git a/CHANGES.rst b/CHANGES.rst index 3c018a40..676e58b1 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -11,6 +11,12 @@ Changes Features / Changes ~~~~~~~~~~~~~~~~~~~~~ +* n/a + +Bug Fixes +~~~~~~~~~~~~~~~~~~~~~ +* Fix returned headers in ``401 Unauthenticated`` response which did not properly employ ``Authentication-Control`` + header to return the ``location-when-unauthenticated`` parameter instead of returning it directly as invalid header. * Add `API` endpoint ``GET /services/{service_name}/resources/{resource_id}`` similar to existing endpoint ``GET /resources/{resource_id}`` allowing retrieval of a `Resource` details with prior validation that it lies under the referenced `Service` diff --git a/magpie/utils.py b/magpie/utils.py index e44ceb35..e3b7bca3 100644 --- a/magpie/utils.py +++ b/magpie/utils.py @@ -629,11 +629,18 @@ def get_authenticate_headers(request, error_type="invalid_token"): # WWW-Authenticate: challenge-1 [realm="<>" title="<>" ...], # challenge-2 [...], ... # provide URL with both 'domain' and 'uri' which are two variants that can exist, depending on implementation - "WWW-Authenticate": ("Cookie cookie-name=\"{c}\" error=\"{e}\" title=\"{t}\" " - "domain=\"{u}\" uri=\"{u}\" realm=\"{r}\" " - .format(c=cookie_name, e=error_type, u=signin_url, r=hostname, t=title)), + "WWW-Authenticate": ( + "Cookie cookie-name=\"{c}\" error=\"{e}\" title=\"{t}\" domain=\"{u}\" uri=\"{u}\" realm=\"{r}\" ".format( + c=cookie_name, e=error_type, u=signin_url, r=hostname, t=title + ) + ), + # https://tools.ietf.org/html/rfc8053#section-4 # https://tools.ietf.org/html/rfc8053#section-4.3 - "Location-When-Unauthenticated": login_url, + "Authentication-Control": ( + "Cookie cookie-name=\"{c}\" realm=\"{r}\" location-when-unauthenticated=\"{u}\"".format( + c=cookie_name, r=hostname, u=login_url + ) + ), } return headers