Improve RPC authentication failure responses.

This commit improves how the legacy RPC server responds to authentication
failures so things like web browsers can react better.  The following
changes have been made:

First, authentication failures were only printing the 401 error response
in the body instead of setting the http status code.  This means the
response had a 200 OK header with a body of 401 Unauthorized.  Therefore
the client would think everything was ok, but see the response as
malformed JSON.

Second, the spec for 401 Unauthorized responses state they must include a
WWW-Authenticate header to instruct the client how to authenticate.
Without this, browsers won't prompt the user for credentials.
This commit is contained in:
Dave Collins 2014-01-23 11:25:09 -06:00
parent 8f43dc758e
commit 5859deea7e

View file

@ -337,7 +337,8 @@ func newRPCServer(listenAddrs []string, s *server) (*rpcServer, error) {
// jsonAuthFail sends a message back to the client if the http auth is rejected.
func jsonAuthFail(w http.ResponseWriter, r *http.Request, s *rpcServer) {
fmt.Fprint(w, "401 Unauthorized.\n")
w.Header().Add("WWW-Authenticate", `Basic realm="btcd RPC"`)
http.Error(w, "401 Unauthorized.", http.StatusUnauthorized)
}
// jsonRPCRead is the RPC wrapper around the jsonRead function to handle reading