Bug Report
Summary
Current behavior
How to reproduce
Expected behavior
I'm having a problem using basic auth. I created the following configuration:
return [
'api-tools-mvc-auth' => [
'authentication' => [
'http' => [
'accept_schemes' => ['basic'],
'realm' => 'my api',
'htpasswd' => __DIR__ . '/../../data/htpasswd',
],
],
],
];
If I now send a request to my API and include an Authorization header line, the credentaials are checked and the resource is either released if everything is OK, or I receive an HTTP 401 if the credentials are not correct. So far everything is fine and corresponds to my expectations.
If I leave out the Authorization line, I get the following response headers:
WWW-Authenticate: Basic realm="my api"
Strict-Transport-Security: max-age=31536000; includeSubDomains
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type, authorization
Content-Length: 30
Content-Type: application/json
But - and now comes my exact problem - I get access to the resource, i.e. I can request an endpoint, the action in the handler class is executed and I also get a valid response including status code 200 back and the whole thing without that I had to authenticate myself. I would have expected that the methods in the resource class would be "blocked" or the routing would be stopped.
Bug Report
Summary
Current behavior
How to reproduce
Expected behavior
I'm having a problem using basic auth. I created the following configuration:
If I now send a request to my API and include an Authorization header line, the credentaials are checked and the resource is either released if everything is OK, or I receive an HTTP 401 if the credentials are not correct. So far everything is fine and corresponds to my expectations.
If I leave out the Authorization line, I get the following response headers:
But - and now comes my exact problem - I get access to the resource, i.e. I can request an endpoint, the action in the handler class is executed and I also get a valid response including status code 200 back and the whole thing without that I had to authenticate myself. I would have expected that the methods in the resource class would be "blocked" or the routing would be stopped.