Merge pull request #7 from kube-hetzner/as/fix/auth

fix(auth): Proxy-Authenticate instead of WWW-Authenticate
kube-hetzner · Oct 16, 2024 · e9f9d91 · e9f9d91
2 parents 1175a3c + 470c2ef
commit e9f9d91
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/auth.go b/auth.go
@@ -32,32 +32,32 @@ type credentials struct {
 func checkBasicAuth(w http.ResponseWriter, r *http.Request, creds credentials) bool {
 	auth := r.Header.Get("Proxy-Authorization")
 	if auth == "" {
-		slog.Debug("No Proxy-Authorization header found")
-		w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
-		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		slog.Debug("No Proxy-Authorization header found", "remote_addr", r.RemoteAddr, "host", r.Host, "proto", r.Proto, "method", r.Method, "url", r.URL.String())
+		w.Header().Set("Proxy-Authenticate", "Basic realm=\"Proxy\"")
+		http.Error(w, "ProxyAuthRequired", http.StatusProxyAuthRequired)
 		return false
 	}
 
 	// Expected format: "Basic base64(username:password)"
 	const prefix = "Basic "
 	if !strings.HasPrefix(auth, prefix) {
-		slog.Debug("Invalid Proxy-Authorization header")
+		slog.Debug("Invalid Proxy-Authorization header", "remote_addr", r.RemoteAddr, "host", r.Host, "proto", r.Proto, "method", r.Method, "url", r.URL.String())
 		http.Error(w, "Unauthorized", http.StatusUnauthorized)
 		return false
 	}
 
 	// Decode the base64 username:password
 	payload, err := base64.StdEncoding.DecodeString(auth[len(prefix):])
 	if err != nil {
-		slog.Debug("Failed to decode Proxy-Authorization header")
+		slog.Debug("Failed to decode Proxy-Authorization header", "remote_addr", r.RemoteAddr, "host", r.Host, "proto", r.Proto, "method", r.Method, "url", r.URL.String())
 		http.Error(w, "Unauthorized", http.StatusUnauthorized)
 		return false
 	}
 
 	// Check if the credentials match
 	parts := strings.SplitN(string(payload), ":", 2)
 	if len(parts) != 2 || parts[0] != creds.username || parts[1] != creds.password {
-		slog.Debug("Invalid credentials")
+		slog.Debug("Invalid credentials", "remote_addr", r.RemoteAddr, "host", r.Host, "proto", r.Proto, "method", r.Method, "url", r.URL.String())
 		http.Error(w, "Unauthorized", http.StatusUnauthorized)
 		return false
 	}