Corrects issues in session

The previous commit https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45175
caused an issue with sessions, that is addressed by this change.

Tested:
Ed Tanous tested:
redfishtool -S Always -A Basic -u root -p 0penBmc -r 192.168.7.2 raw
GET /redfish/v1/Managers/bmc

redfishtool -S Always -A Session -u root -p 0penBmc -r 192.168.7.2 raw
GET /redfish/v1/Managers/bmc

Both return the the manager.

Signed-off-by: John Edward Broadbent <jebr@google.com>
Change-Id: Ic00989286444baad88745cc1925602449372d1ac
diff --git a/include/authorization.hpp b/include/authorization.hpp
index ecbdca0..ecc83fc 100644
--- a/include/authorization.hpp
+++ b/include/authorization.hpp
@@ -42,8 +42,14 @@
 {
     BMCWEB_LOG_DEBUG << "[AuthMiddleware] Basic authentication";
 
-    std::string authData;
+    if (!boost::starts_with(authHeader, "Basic "))
+    {
+        return nullptr;
+    }
+
     std::string_view param = authHeader.substr(strlen("Basic "));
+    std::string authData;
+
     if (!crow::utility::base64Decode(param, authData))
     {
         return nullptr;
@@ -91,7 +97,10 @@
     performTokenAuth(std::string_view authHeader)
 {
     BMCWEB_LOG_DEBUG << "[AuthMiddleware] Token authentication";
-
+    if (!boost::starts_with(authHeader, "Token "))
+    {
+        return nullptr;
+    }
     std::string_view token = authHeader.substr(strlen("Token "));
     auto sessionOut =
         persistent_data::SessionStore::getInstance().loginSessionByToken(token);
@@ -280,29 +289,25 @@
     }
 #endif
     std::string_view authHeader = reqHeader["Authorization"];
+    BMCWEB_LOG_ERROR << "authHeader=" << authHeader;
 
-    if (!authHeader.empty())
+    if (sessionOut == nullptr && authMethodsConfig.sessionToken)
     {
-        // Reject any kind of auth other than basic or token
-        if (boost::starts_with(authHeader, "Token ") &&
-            authMethodsConfig.sessionToken)
-        {
 #ifdef BMCWEB_ENABLE_SESSION_AUTHENTICATION
-            sessionOut = performTokenAuth(authHeader);
+        sessionOut = performTokenAuth(authHeader);
 #endif
-        }
-        else if (boost::starts_with(authHeader, "Basic ") &&
-                 authMethodsConfig.basic)
-        {
-#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION
-            sessionOut = performBasicAuth(ipAddress, authHeader);
-#endif
-        }
-        if (sessionOut != nullptr)
-        {
-            return sessionOut;
-        }
     }
+    if (sessionOut == nullptr && authMethodsConfig.basic)
+    {
+#ifdef BMCWEB_ENABLE_BASIC_AUTHENTICATION
+        sessionOut = performBasicAuth(ipAddress, authHeader);
+#endif
+    }
+    if (sessionOut != nullptr)
+    {
+        return sessionOut;
+    }
+
     BMCWEB_LOG_WARNING << "[AuthMiddleware] authorization failed";
     forward_unauthorized::sendUnauthorized(url, reqHeader["User-Agent"],
                                            reqHeader["accept"], res);