add www-authenticate header when basic auth fails

Signed-off-by: Ivan Porto Carrero <ivan@flanders.co.nz>

Author: casualjim

middleware/context.go

@@ -16,10 +16,13 @@ package middleware
 
 import (
 	stdContext "context"
+	"fmt"
 	"net/http"
 	"strings"
 	"sync"
 
+	"github.com/go-openapi/runtime/security"
+
 	"github.com/go-openapi/analysis"
 	"github.com/go-openapi/errors"
 	"github.com/go-openapi/loads"
@@ -500,6 +503,11 @@ func (c *Context) Respond(rw http.ResponseWriter, r *http.Request, produces []st
 		if format == "" {
 			rw.Header().Set(runtime.HeaderContentType, runtime.JSONMime)
 		}
+
+		if realm := security.FailedBasicAuth(r); realm != "" {
+			rw.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=%q", realm))
+		}
+
 		if route == nil || route.Operation == nil {
 			c.api.ServeErrorFor("")(rw, r, err)
 			return

middleware/router.go

@@ -188,7 +188,6 @@ func (ra *RouteAuthenticator) Authenticate(req *http.Request, route *MatchedRout
 			if !applies {
 				return false, nil, nil
 			}
-
 			if err != nil {
 				route.Authenticator = ra
 				return true, nil, err

middleware/security_test.go

@@ -41,6 +41,7 @@ func TestSecurityMiddleware(t *testing.T) {
 
 	mw.ServeHTTP(recorder, request)
 	assert.Equal(t, 401, recorder.Code)
+	assert.NotEmpty(t, recorder.Header().Get("WWW-Authenticate"))
 
 	recorder = httptest.NewRecorder()
 	request, _ = http.NewRequest("GET", "/api/pets", nil)

security/authenticator.go

@@ -69,11 +69,34 @@ type ScopedTokenAuthentication func(string, []string) (interface{}, error)
 // ScopedTokenAuthenticationCtx authentication function with context.Context
 type ScopedTokenAuthenticationCtx func(context.Context, string, []string) (context.Context, interface{}, error)
 
+var DefaultRealmName = "API"
+
+type secCtxKey uint8
+
+const (
+	failedBasicAuth secCtxKey = iota
+)
+
+func FailedBasicAuth(r *http.Request) string {
+	return FailedBasicAuthCtx(r.Context())
+}
+
+func FailedBasicAuthCtx(ctx context.Context) string {
+	v, ok := ctx.Value(failedBasicAuth).(string)
+	if !ok {
+		return ""
+	}
+	return v
+}
+
 // BasicAuth creates a basic auth authenticator with the provided authentication function
 func BasicAuth(authenticate UserPassAuthentication) runtime.Authenticator {
 	return HttpAuthenticator(func(r *http.Request) (bool, interface{}, error) {
 		if usr, pass, ok := r.BasicAuth(); ok {
 			p, err := authenticate(usr, pass)
+			if err != nil {
+				*r = *r.WithContext(context.WithValue(r.Context(), failedBasicAuth, DefaultRealmName))
+			}
 			return true, p, err
 		}
 
@@ -86,6 +109,9 @@ func BasicAuthCtx(authenticate UserPassAuthenticationCtx) runtime.Authenticator
 	return HttpAuthenticator(func(r *http.Request) (bool, interface{}, error) {
 		if usr, pass, ok := r.BasicAuth(); ok {
 			ctx, p, err := authenticate(r.Context(), usr, pass)
+			if err != nil {
+				ctx = context.WithValue(ctx, failedBasicAuth, DefaultRealmName)
+			}
 			*r = *r.WithContext(ctx)
 			return true, p, err
 		}