From 5859deea7e2aaaa7a55bdd3d4c2d77ef961b8025 Mon Sep 17 00:00:00 2001
From: Dave Collins <davec@conformal.com>
Date: Thu, 23 Jan 2014 11:25:09 -0600
Subject: [PATCH] Improve RPC authentication failure responses.

This commit improves how the legacy RPC server responds to authentication
failures so things like web browsers can react better.  The following
changes have been made:

First, authentication failures were only printing the 401 error response
in the body instead of setting the http status code.  This means the
response had a 200 OK header with a body of 401 Unauthorized.  Therefore
the client would think everything was ok, but see the response as
malformed JSON.

Second, the spec for 401 Unauthorized responses state they must include a
WWW-Authenticate header to instruct the client how to authenticate.
Without this, browsers won't prompt the user for credentials.
---
 rpcserver.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rpcserver.go b/rpcserver.go
index fc874992..dcacd28f 100644
--- a/rpcserver.go
+++ b/rpcserver.go
@@ -337,7 +337,8 @@ func newRPCServer(listenAddrs []string, s *server) (*rpcServer, error) {
 
 // jsonAuthFail sends a message back to the client if the http auth is rejected.
 func jsonAuthFail(w http.ResponseWriter, r *http.Request, s *rpcServer) {
-	fmt.Fprint(w, "401 Unauthorized.\n")
+	w.Header().Add("WWW-Authenticate", `Basic realm="btcd RPC"`)
+	http.Error(w, "401 Unauthorized.", http.StatusUnauthorized)
 }
 
 // jsonRPCRead is the RPC wrapper around the jsonRead function to handle reading