commit 347d1a195e1f0a9765bc8ae7be39f6eb6577d487
author Ed Tanous <edtanous@google.com> Wed Jun 22 15:49:37 2022 -0700
committer Ed Tanous <ed@tanous.net> Mon Jun 27 17:54:25 2022 +0000
tree 38132ab836431414f6d51ea71d23514eb1d991ab
parent 22daffd71eb246fb42f7f356025e92659b713151

Rearrange forward_unauthorized

This file is kind of hard to read.  Try to improve it.

This readability problem caused me to miss one of the cases and invert
it, and because there's 6 possible clients/flows that need tested through
these, my testing didn't catch it originally.

Tested:
Redfish protocol validator now passes one more test for
www-authenticate.  18 failing test cases down to 12.

'''
curl -vvvv --insecure -H "Accepts: application/json" https://192.168.7.2/redfish/v1/SessionService/Sessions
'''

Now returns WWW-Authenticate when basic auth is enabled.

Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: Idaed4c1fe3f58667b5478006d3091d820ca26d58

include/forward_unauthorized.hpp

diff --git a/include/forward_unauthorized.hpp b/include/forward_unauthorized.hpp
index 5b437b1..ddf3e3b 100644
--- a/include/forward_unauthorized.hpp
+++ b/include/forward_unauthorized.hpp
@@ -22,31 +22,30 @@
             res.result(boost::beast::http::status::temporary_redirect);
             res.addHeader("Location",
                           "/#/login?next=" + http_helpers::urlEncode(url));
+            return;
         }
-        else
-        {
-            // If we don't have a webui installed, just return a lame
-            // unauthorized body
-            res.result(boost::beast::http::status::unauthorized);
-            res.body() = "Unauthorized";
-        }
-    }
-    else
-    {
+        // If we don't have a webui installed, just return an unauthorized
+        // body
         res.result(boost::beast::http::status::unauthorized);
-
-        // XHR requests from a browser will set the X-Requested-With header when
-        // doing their requests, even though they might not be requesting html.
-        if (!xRequestedWith.empty())
-        {
-            // Only propose basic auth as an option if it's enabled.
-            if (persistent_data::SessionStore::getInstance()
-                    .getAuthMethodsConfig()
-                    .basic)
-            {
-                res.addHeader("WWW-Authenticate", "Basic");
-            }
-        }
+        res.body() = "Unauthorized";
+        return;
     }
+
+    res.result(boost::beast::http::status::unauthorized);
+
+    // XHR requests from a browser will set the X-Requested-With header when
+    // doing their requests, even though they might not be requesting html.
+    if (!xRequestedWith.empty())
+    {
+        return;
+    }
+    // if basic auth is disabled, don't propose it.
+    if (!persistent_data::SessionStore::getInstance()
+             .getAuthMethodsConfig()
+             .basic)
+    {
+        return;
+    }
+    res.addHeader("WWW-Authenticate", "Basic");
 }
 } // namespace forward_unauthorized