Better HTTP status in basic auth middleware

Signed-off-by: Vishal Rana <vr@labstack.com>
2025-07-05 00:58:47 +02:00 · 2015-05-21 14:02:29 -07:00
parent 3fcf7a470d
commit cfd6d8b77f
3 changed files with 32 additions and 16 deletions
--- a/middleware/auth.go
+++ b/middleware/auth.go
@ -14,12 +14,16 @@ const (
 	Basic = "Basic"
 )

-// BasicAuth returns an HTTP basic authentication middleware.
+// BasicAuth returns an HTTP basic authentication middleware. For valid credentials
+// it calls the next handler in the chain.
+
+// For invalid Authorization header it sends "404 - Bad Request" response.
+// For invalid credentials, it sends "401 - Unauthorized" response.
 func BasicAuth(fn AuthFunc) echo.HandlerFunc {
 	return func(c *echo.Context) error {
 		auth := c.Request.Header.Get(echo.Authorization)
 		i := 0
-		he := echo.NewHTTPError(http.StatusUnauthorized)
+		code := http.StatusBadRequest

 		for ; i < len(auth); i++ {
 			c := auth[i]
@ -33,31 +37,32 @@ func BasicAuth(fn AuthFunc) echo.HandlerFunc {
 				// Ignore case
 				if i == 0 {
 					if c != Basic[i] && c != 'b' {
-						return he
+						break
 					}
 				} else {
 					if c != Basic[i] {
-						return he
+						break
 					}
 				}
 			} else {
 				// Extract credentials
 				b, err := base64.StdEncoding.DecodeString(auth[i:])
 				if err != nil {
-					return he
+					break
 				}
 				cred := string(b)
 				for i := 0; i < len(cred); i++ {
 					if cred[i] == ':' {
 						// Verify credentials
-						if !fn(cred[:i], cred[i+1:]) {
-							return he
+						if fn(cred[:i], cred[i+1:]) {
+							return nil
 						}
-						return nil
+						code = http.StatusUnauthorized
+						break
 					}
 				}
 			}
 		}
-		return he
+		return echo.NewHTTPError(code)
 	}
 }