Redmine

When authentication fails for a REST API request, Redmine currently returns a WWW-Authenticate: Basic realm="Redmine API" response header even if the request used an API key passed with the key parameter or the X-Redmine-API-Key request header.

This is confusing because the response looks like a Basic authentication failure even though the client did not use Basic authentication. For example, when opening a URL such as http://redmine.example.com/issues.json?key=WRONG_API_KEY in a browser, the browser shows a Basic authentication dialog, which may make users think that their Basic authentication credentials are wrong and have to enter their login ID and password.

This patch treats requests with the key parameter or the X-Redmine-API-Key request header as API key authentication attempts. When such authentication fails, Redmine still returns 401 Unauthorized, but it does not include the WWW-Authenticate header for Basic authentication.