Fixed basic auth to return 401 for error cases

Signed-off-by: Vishal Rana <vr@labstack.com>

middleware/basic_auth.go

@@ -2,7 +2,6 @@ package middleware
 
 import (
 	"encoding/base64"
-	"net/http"
 
 	"github.com/labstack/echo"
 )
@@ -58,12 +57,12 @@ func BasicAuthWithConfig(config BasicAuthConfig) echo.MiddlewareFunc {
 						if config.Validator(cred[:i], cred[i+1:]) {
 							return next(c)
 						}
-						c.Response().Header().Set(echo.HeaderWWWAuthenticate, basic+" realm=Restricted")
-						return echo.ErrUnauthorized
 					}
 				}
 			}
-			return echo.NewHTTPError(http.StatusBadRequest, "invalid basic-auth authorization header="+auth)
+			// Need to return `401` for browsers to pop-up login box.
+			c.Response().Header().Set(echo.HeaderWWWAuthenticate, basic+" realm=Restricted")
+			return echo.ErrUnauthorized
 		}
 	}
 }

middleware/basic_auth_test.go

@@ -40,11 +40,11 @@ func TestBasicAuth(t *testing.T) {
 	// Empty Authorization header
 	req.Header().Set(echo.HeaderAuthorization, "")
 	he = h(c).(*echo.HTTPError)
-	assert.Equal(t, http.StatusBadRequest, he.Code)
+	assert.Equal(t, http.StatusUnauthorized, he.Code)
 
 	// Invalid Authorization header
 	auth = base64.StdEncoding.EncodeToString([]byte("invalid"))
 	req.Header().Set(echo.HeaderAuthorization, auth)
 	he = h(c).(*echo.HTTPError)
-	assert.Equal(t, http.StatusBadRequest, he.Code)
+	assert.Equal(t, http.StatusUnauthorized, he.Code)
 }

middleware/jwt_auth.go

@@ -114,7 +114,7 @@ func JWTFromHeader(c echo.Context) (string, error) {
 	if len(auth) > l+1 && auth[:l] == bearer {
 		return auth[l+1:], nil
 	}
-	return "", echo.NewHTTPError(http.StatusBadRequest, "invalid jwt authorization header="+auth)
+	return "", echo.NewHTTPError(http.StatusBadRequest, "empty or invalid authorization header="+auth)
 }
 
 // JWTFromQuery returns a `JWTExtractor` that extracts token from the provided query