Conditionally set WWW-Authenticate header for AJAX requests

jimmyhealer · vmcj · commit 6df01fef2e02 · 2024-06-06T17:08:00.000Z
diff --git a/webapp/src/Security/DOMJudgeBasicAuthenticator.php b/webapp/src/Security/DOMJudgeBasicAuthenticator.php
@@ -67,7 +67,11 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
         // Otherwise, we pass along to the next authenticator.
         if ($exception instanceof BadCredentialsException || $exception instanceof UserNotFoundException) {
             $resp = new Response('', Response::HTTP_UNAUTHORIZED);
-            $resp->headers->set('WWW-Authenticate', sprintf('Basic realm="%s"', 'Secured Area'));
+
+            if (!$request->isXmlHttpRequest()) {
+                $resp->headers->set('WWW-Authenticate', sprintf('Basic realm="%s"', 'Secured Area'));
+            }
+  
             return $resp;
         }
 
