Improve RPC authentication failure responses.

This commit improves how the legacy RPC server responds to authentication failures so things like web browsers can react better. The following changes have been made: First, authentication failures were only printing the 401 error response in the body instead of setting the http status code. This means the response had a 200 OK header with a body of 401 Unauthorized. Therefore the client would think everything was ok, but see the response as malformed JSON. Second, the spec for 401 Unauthorized responses state they must include a WWW-Authenticate header to instruct the client how to authenticate. Without this, browsers won't prompt the user for credentials.
2024-11-19 09:50:08 +01:00 · 2014-01-23 11:25:09 -06:00 · 2014-01-23 11:25:09 -06:00 · 5859deea7e
commit 5859deea7e
parent 8f43dc758e
1 changed files with 2 additions and 1 deletions
--- a/rpcserver.go
+++ b/rpcserver.go
@ -337,7 +337,8 @@ func newRPCServer(listenAddrs []string, s *server) (*rpcServer, error) {

 // jsonAuthFail sends a message back to the client if the http auth is rejected.
 func jsonAuthFail(w http.ResponseWriter, r *http.Request, s *rpcServer) {
-	fmt.Fprint(w, "401 Unauthorized.\n")
+	w.Header().Add("WWW-Authenticate", `Basic realm="btcd RPC"`)
+	http.Error(w, "401 Unauthorized.", http.StatusUnauthorized)
 }

 // jsonRPCRead is the RPC wrapper around the jsonRead function to handle reading