Fixes yiisoft#15494: Fixed missing WWW-Authenticate header

josephmelnick · Jan 21, 2018 · 3763542 · 3763542
1 parent 2484154
commit 3763542
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
@@ -38,6 +38,7 @@ Yii Framework 2 Change Log
 - Bug #15432: Fixed wrong value being set in `yii\filters\RateLimiter::checkRateLimit()` resulting in wrong `X-Rate-Limit-Reset` header value (bizley)
 - Bug #15440: Fixed `yii\behaviors\AttributeTypecastBehavior::$attributeTypes` auto-detection fails for rule, which specify attribute with '!' prefix (klimov-paul)
 - Bug #15462: Fixed `accessChecker` configuration error (developeruz)
+- Bug #15494: Fixed missing `WWW-Authenticate` header (developeruz)
 - Enh #3087: Added `yii\helpers\BaseHtml::error()` "errorSource" option to be able to customize errors display (yanggs07, developeruz, silverfire)
 - Enh #3250: Added support for events partial wildcard matching (klimov-paul)
 - Enh #5515: Added default value for `yii\behaviors\BlameableBehavior` for cases when the user is guest (dmirogin)

diff --git a/framework/filters/auth/HttpHeaderAuth.php b/framework/filters/auth/HttpHeaderAuth.php
@@ -56,6 +56,7 @@ public function authenticate($user, $request, $response)
             }
             $identity = $user->loginByAccessToken($authHeader, get_class($this));
             if ($identity === null) {
+                $this->challenge($response);
                 $this->handleFailure($response);
             }
 

diff --git a/tests/framework/filters/auth/AuthTest.php b/tests/framework/filters/auth/AuthTest.php
@@ -191,6 +191,20 @@ public function testActive($authClass)
         $this->assertTrue($method->invokeArgs($filter, [new Action('index', $controller)]));
         $this->assertFalse($method->invokeArgs($filter, [new Action('view', $controller)]));
     }
+
+    public function testHeaders()
+    {
+        Yii::$app->request->headers->set('Authorization', "Bearer wrong_token");
+        $filter = ['class' => HttpBearerAuth::className()];
+        $controller = Yii::$app->createController('test-auth')[0];
+        $controller->authenticatorConfig = ArrayHelper::merge($filter, ['only' => ['filtered']]);
+        try {
+            $controller->run('filtered');
+            $this->fail('Should throw UnauthorizedHttpException');
+        } catch (UnauthorizedHttpException $e) {
+            $this->assertArrayHasKey('WWW-Authenticate', Yii::$app->getResponse()->getHeaders());
+        }
+    }
 }
 
 /**