Project

General

Profile

Download (2.51 KB)

Defect #44165 ยป Do-not-send-Basic-authentication-challenge-when-API-key-authentication-fails.patch

Go MAEDA, 2026-06-12 11:21

View differences:

app/controllers/application_controller.rb
291 291 
        end
292 292 
        format.api do
293 293 
          if Setting.rest_api_enabled? && accept_api_auth?
294 
            head(:unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"')
294 
            if api_key_from_request
295 
              head(:unauthorized)
296 
            else
297 
              head(:unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"')
298 
            end
295 299 
          else
296 300 
            head(:forbidden)
297 301 
          end
test/integration/api_test/authentication_test.rb
44 44 
    end
45 45 
    get '/users/current.xml', :headers => credentials(user.login, 'wrong_password')
46 46 
    assert_response :unauthorized
47 
    assert response.headers.has_key?('WWW-Authenticate')
47 48 
  end
48 49 

  		




  49
  50
  
    
  def test_api_should_deny_http_basic_auth_if_twofa_is_active

  		




  ......




  67
  68
  
    
    token = Token.create!(:user => user, :action => 'feeds') # not the API key

  		




  68
  69
  
    
    get '/users/current.xml', :headers => credentials(token.value, 'X')

  		




  69
  70
  
    
    assert_response :unauthorized

  		




  
  71
  
    
    assert response.headers.has_key?('WWW-Authenticate')

  		




  70
  72
  
    
  end

  		




  71
  73
  
    

  		




  72
  74
  
    
  def test_api_should_accept_auth_using_api_key_as_parameter

  		




  ......




  81
  83
  
    
    token = Token.create!(:user => user, :action => 'feeds') # not the API key

  		




  82
  84
  
    
    get "/users/current.xml?key=#{token.value}"

  		




  83
  85
  
    
    assert_response :unauthorized

  		




  
  86
  
    
    assert_not response.headers.has_key?('WWW-Authenticate')

  		




  84
  87
  
    
  end

  		




  85
  88
  
    

  		




  86
  89
  
    
  def test_api_should_accept_auth_using_api_key_as_request_header

  		




  ......




  95
  98
  
    
    token = Token.create!(:user => user, :action => 'feeds') # not the API key

  		




  96
  99
  
    
    get "/users/current.xml", :headers => {'X-Redmine-API-Key' => token.value.to_s}

  		




  97
  100
  
    
    assert_response :unauthorized

  		




  
  101
  
    
    assert_not response.headers.has_key?('WWW-Authenticate')

  		




  98
  102
  
    
  end

  		




  99
  103
  
    

  		




  100
  104
  
    
  def test_api_should_trigger_basic_http_auth_with_basic_authorization_header

  		















  
    (1-1/1)