feat: auth plugins respond with www-authenticate header with realm

apisix/plugins/basic-auth.lua

@@ -32,6 +32,10 @@ local schema = {
         hide_credentials = {
             type = "boolean",
             default = false,
+        },
+        realm = {
+            type = "string",
+            default = "basic",
         }
     },
     anonymous_consumer = schema_def.anonymous_consumer_schema,
@@ -124,7 +128,6 @@ end
 local function find_consumer(ctx)
     local auth_header = core.request.header(ctx, "Authorization")
     if not auth_header then
-        core.response.set_header("WWW-Authenticate", "Basic realm='.'")
         return nil, nil, "Missing authorization in request"
     end
 
@@ -157,15 +160,17 @@ end
 
 
 function _M.rewrite(conf, ctx)
-    local cur_consumer, consumer_conf, err = find_consumer(ctx)
+    local cur_consumer, consumer_conf, err = find_consumer(ctx, conf)
     if not cur_consumer then
         if not conf.anonymous_consumer then
+            core.response.set_header("WWW-Authenticate", "Basic realm='" .. (conf.realm or "basic") .. "'")
             return 401, { message = err }
         end
         cur_consumer, consumer_conf, err = consumer.get_anonymous_consumer(conf.anonymous_consumer)
         if not cur_consumer then
             err = "basic-auth failed to authenticate the request, code: 401. error: " .. err
             core.log.error(err)
+            core.response.set_header("WWW-Authenticate", "Basic realm='" .. (conf.realm or "basic") .. "'")
             return 401, { message = "Invalid user authorization" }
         end
     end

apisix/plugins/hmac-auth.lua

@@ -63,6 +63,7 @@ local schema = {
             default = false,
         },
         hide_credentials = {type = "boolean", default = false},
+        realm = {type = "string", default = "hmac"},
         anonymous_consumer = schema_def.anonymous_consumer_schema,
     },
 }
@@ -346,14 +347,17 @@ function _M.rewrite(conf, ctx)
     local cur_consumer, consumers_conf, err = find_consumer(conf, ctx)
     if not cur_consumer then
         if not conf.anonymous_consumer then
+            core.response.set_header("WWW-Authenticate", "hmac realm='" .. (conf.realm or "hmac") .. "'")
             return 401, { message = err }
         end
         cur_consumer, consumers_conf, err = consumer.get_anonymous_consumer(conf.anonymous_consumer)
         if not cur_consumer then
             if auth_utils.is_running_under_multi_auth(ctx) then
+                core.response.set_header("WWW-Authenticate", "hmac realm='" .. (conf.realm or "hmac") .. "'")
                 return 401, err
             end
             core.log.error(err)
+            core.response.set_header("WWW-Authenticate", "hmac realm='" .. (conf.realm or "hmac") .. "'")
             return 401, { message = "Invalid user authorization" }
         end
     end

apisix/plugins/jwt-auth.lua

@@ -58,6 +58,10 @@ local schema = {
             type = "boolean",
             default = false
         },
+        realm = {
+            type = "string",
+            default = "jwt"
+        },
         anonymous_consumer = schema_def.anonymous_consumer_schema,
     },
 }
@@ -307,12 +311,14 @@ function _M.rewrite(conf, ctx)
     local consumer, consumer_conf, err = find_consumer(conf, ctx)
     if not consumer then
         if not conf.anonymous_consumer then
+            core.response.set_header("WWW-Authenticate", "Bearer realm='" .. (conf.realm or "jwt") .. "'")
             return 401, { message = err }
         end
         consumer, consumer_conf, err = consumer_mod.get_anonymous_consumer(conf.anonymous_consumer)
         if not consumer then
             err = "jwt-auth failed to authenticate the request, code: 401. error: " .. err
             core.log.error(err)
+            core.response.set_header("WWW-Authenticate", "Bearer realm='" .. (conf.realm or "jwt") .. "'")
             return 401, { message = "Invalid user authorization"}
         end
     end

apisix/plugins/key-auth.lua

@@ -30,6 +30,10 @@ local schema = {
             type = "string",
             default = "apikey",
         },
+        realm = {
+            type = "string",
+            default = "key",
+        },
         hide_credentials = {
             type = "boolean",
             default = false,
@@ -104,12 +108,14 @@ function _M.rewrite(conf, ctx)
     local consumer, consumer_conf, err = find_consumer(ctx, conf)
     if not consumer then
         if not conf.anonymous_consumer then
+            core.response.set_header("WWW-Authenticate", "apikey realm='" .. (conf.realm or "key") .. "'")
             return 401, { message = err}
         end
         consumer, consumer_conf, err = consumer_mod.get_anonymous_consumer(conf.anonymous_consumer)
         if not consumer then
             err = "key-auth failed to authenticate the request, code: 401. error: " .. err
             core.log.error(err)
+            core.response.set_header("WWW-Authenticate", "apikey realm='" .. (conf.realm or "key") .. "'")
             return 401, { message = "Invalid user authorization"}
         end
     end

apisix/plugins/ldap-auth.lua

@@ -28,7 +28,8 @@ local schema = {
         ldap_uri = { type = "string" },
         use_tls = { type = "boolean", default = false },
         tls_verify = { type = "boolean", default = false },
-        uid = { type = "string", default = "cn" }
+        uid = { type = "string", default = "cn" },
+        realm = { type = "string", default = "ldap" }
     },
     required = {"base_dn","ldap_uri"},
 }
@@ -106,7 +107,7 @@ function _M.rewrite(conf, ctx)
     -- 1. extract authorization from header
     local auth_header = core.request.header(ctx, "Authorization")
     if not auth_header then
-        core.response.set_header("WWW-Authenticate", "Basic realm='.'")
+        core.response.set_header("WWW-Authenticate", "Basic realm='" .. (conf.realm or "ldap") .. "'")
         return 401, { message = "Missing authorization in request" }
     end
 
@@ -117,6 +118,7 @@ function _M.rewrite(conf, ctx)
         else
           core.log.warn("nil user")
         end
+        core.response.set_header("WWW-Authenticate", "Basic realm='" .. (conf.realm or "ldap") .. "'")
         return 401, { message = "Invalid authorization in request" }
     end
 
@@ -136,6 +138,7 @@ function _M.rewrite(conf, ctx)
     local res, err = ldap.ldap_authenticate(user.username, user.password, ldapconf)
     if not res then
         core.log.warn("ldap-auth failed: ", err)
+        core.response.set_header("WWW-Authenticate", "Basic realm='" .. (conf.realm or "ldap") .. "'")
         return 401, { message = "Invalid user authorization" }
     end
 
@@ -144,12 +147,14 @@ function _M.rewrite(conf, ctx)
     -- 3. Retrieve consumer for authorization plugin
     local consumer_conf = consumer_mod.plugin(plugin_name)
     if not consumer_conf then
+        core.response.set_header("WWW-Authenticate", "Basic realm='" .. (conf.realm or "ldap") .. "'")
         return 401, { message = "Missing related consumer" }
     end
 
     local consumers = consumer_mod.consumers_kv(plugin_name, consumer_conf, "user_dn")
     local consumer = consumers[user_dn]
     if not consumer then
+        core.response.set_header("WWW-Authenticate", "Basic realm='" .. (conf.realm or "ldap") .. "'")
         return 401, {message = "Invalid user authorization"}
     end
     consumer_mod.attach_consumer(ctx, consumer, consumer_conf)

t/plugin/basic-auth-realm.t

@@ -0,0 +1,106 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: sanity, default realm
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                ngx.HTTP_PUT,
+                [[{
+                    "plugins": {
+                        "basic-auth": {}
+                    },
+                    "upstream": {
+                        "nodes": {
+                            "127.0.0.1:1980": 1
+                        },
+                        "type": "roundrobin"
+                    },
+                    "uri": "/hello"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+
+=== TEST 2: verify default realm
+--- request
+GET /hello
+--- error_code: 401
+--- response_headers
+WWW-Authenticate: Basic realm='basic'
+
+=== TEST 3: set custom realm
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                ngx.HTTP_PUT,
+                [[{
+                    "plugins": {
+                        "basic-auth": {
+                            "realm": "secure-zone"
+                        }
+                    },
+                    "upstream": {
+                        "nodes": {
+                            "127.0.0.1:1980": 1
+                        },
+                        "type": "roundrobin"
+                    },
+                    "uri": "/hello"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+
+=== TEST 4: verify custom realm
+--- request
+GET /hello
+--- error_code: 401
+--- response_headers
+WWW-Authenticate: Basic realm='secure-zone'

t/plugin/hmac-auth-realm.t

@@ -0,0 +1,106 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: sanity, default realm
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                ngx.HTTP_PUT,
+                [[{
+                    "plugins": {
+                        "hmac-auth": {}
+                    },
+                    "upstream": {
+                        "nodes": {
+                            "127.0.0.1:1980": 1
+                        },
+                        "type": "roundrobin"
+                    },
+                    "uri": "/hello"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+
+=== TEST 2: verify default realm
+--- request
+GET /hello
+--- error_code: 401
+--- response_headers
+WWW-Authenticate: hmac realm='hmac'
+
+=== TEST 3: set custom realm
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                ngx.HTTP_PUT,
+                [[{
+                    "plugins": {
+                        "hmac-auth": {
+                            "realm": "my-hmac-realm"
+                        }
+                    },
+                    "upstream": {
+                        "nodes": {
+                            "127.0.0.1:1980": 1
+                        },
+                        "type": "roundrobin"
+                    },
+                    "uri": "/hello"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+
+=== TEST 4: verify custom realm
+--- request
+GET /hello
+--- error_code: 401
+--- response_headers
+WWW-Authenticate: hmac realm='my-hmac-realm'