GET / with an Authorization header should fail if it's not valid

This commit is contained in:
Jordan Dominion
2023-11-02 23:00:46 -04:00
parent fb1aee74a1
commit d851df8276
3 changed files with 18 additions and 2 deletions
@@ -1,4 +1,4 @@
using System;
using System;
using System.Collections.Generic;
using System.Globalization;
using System.Linq;
@@ -191,6 +191,12 @@ namespace Tgstation.Server.Host.Controllers
/// <returns>A <see cref="NotFoundObjectResult"/> with an appropriate <see cref="ErrorMessageResponse"/>.</returns>
protected new NotFoundObjectResult NotFound() => NotFound(new ErrorMessageResponse(ErrorCode.ResourceNeverPresent));
/// <summary>
/// Generic 401 response.
/// </summary>
/// <returns>An <see cref="ObjectResult"/> with <see cref="HttpStatusCode.NotFound"/>.</returns>
protected new ObjectResult Unauthorized() => this.StatusCode(HttpStatusCode.Unauthorized, null);
/// <summary>
/// Generic 501 response.
/// </summary>
@@ -1,4 +1,4 @@
using System;
using System;
using System.Linq;
using System.Net;
using System.Threading;
@@ -164,6 +164,8 @@ namespace Tgstation.Server.Host.Controllers
HeaderNames.Vary,
new StringValues(ApiHeaders.ApiVersionHeader));
// if they tried to authenticate in any form and failed, let them know immediately
bool failIfUnauthed;
if (ApiHeaders == null)
{
if (controlPanelConfiguration.Enable && !Request.Headers.TryGetValue(ApiHeaders.ApiVersionHeader, out _))
@@ -190,7 +192,14 @@ namespace Tgstation.Server.Host.Controllers
{
return HeadersIssue(ex);
}
failIfUnauthed = Request.Headers.Authorization.Any();
}
else
failIfUnauthed = ApiHeaders.Token != null;
if (failIfUnauthed && !AuthenticationContext.Valid)
return Unauthorized();
return Json(new ServerInformationResponse
{
@@ -210,6 +210,7 @@ namespace Tgstation.Server.Tests.Live
var badClient = clientFactory.CreateFromToken(serverClient.Url, newToken);
await ApiAssert.ThrowsException<UnauthorizedException, AdministrationResponse>(() => badClient.Administration.Read(cancellationToken));
await ApiAssert.ThrowsException<UnauthorizedException, ServerInformationResponse>(() => badClient.ServerInformation(cancellationToken));
}
static async Task TestOAuthFails(IServerClient serverClient, CancellationToken cancellationToken)