added option for SupressResponseHeaderWWWAuthenticateForAjaxRequests

Author: vborioni-onit

src/ZNetCS.AspNetCore.Authentication.Basic/BasicAuthenticationHandler.cs

@@ -165,11 +165,14 @@ protected override Task HandleChallengeAsync(AuthenticationProperties context)
             var realmHeader = new NameValueHeaderValue("realm", $"\"{this.Options.Realm}\"");
             this.Response.StatusCode = StatusCodes.Status401Unauthorized;
 
-            if (this.Request.Headers.TryGetValue("X-Requested-With", out var value))
+            if (this.Options.SupressResponseHeaderWWWAuthenticateForAjaxRequests)
             {
-                if (value == "XMLHttpRequest")
+                if (this.Request.Headers.TryGetValue(this.Options.AjaxRequestHeaderName, out var value))
                 {
-                    return Task.CompletedTask;
+                    if (value == this.Options.AjaxRequestHeaderValue)
+                    {
+                        return Task.CompletedTask;
+                    }
                 }
             }
 

src/ZNetCS.AspNetCore.Authentication.Basic/BasicAuthenticationOptions.cs

@@ -24,6 +24,9 @@ namespace ZNetCS.AspNetCore.Authentication.Basic
     /// </summary>
     public class BasicAuthenticationOptions : AuthenticationSchemeOptions
     {
+        public const string DefaultAjaxRequestHeaderName = "X-Requested-With";
+        public const string DefaultAjaxRequestHeaderValue = "XMLHttpRequest";
+
         #region Constructors and Destructors
 
         /// <summary>
@@ -33,6 +36,8 @@ public BasicAuthenticationOptions()
         {
             this.Realm = BasicAuthenticationDefaults.Realm;
             this.Events = new BasicAuthenticationEvents();
+            AjaxRequestHeaderName = DefaultAjaxRequestHeaderName;
+            AjaxRequestHeaderValue = DefaultAjaxRequestHeaderValue;
         }
 
         #endregion
@@ -72,6 +77,14 @@ public BasicAuthenticationOptions()
         [SuppressMessage("StyleCop.CSharp.DocumentationRules", "SA1650:ElementDocumentationMustBeSpelledCorrectly", Justification = "OK")]
         public string Realm { get; set; }
 
+        /// <summary>
+        /// If enabled, it suppress sending the WWWAuthenticate response header when a request has the header (X-Requested-With,XMLHttpRequest)
+        /// </summary>
+        public bool SupressResponseHeaderWWWAuthenticateForAjaxRequests { get; set; }
+
+        public string AjaxRequestHeaderName { get; set; }
+
+        public string AjaxRequestHeaderValue { get; set; }
         #endregion
     }
 }

test/ZNetCS.AspNetCore.Authentication.BasicTests/AuthorizationTest.cs

@@ -274,6 +274,34 @@ public async Task UnauthorizedWrongHeaderTest()
             }
         }
 
+        /// <summary>
+        /// The unauthorized basic realm via ajax
+        /// </summary>
+        [TestMethod]
+        public async Task UnauthorizedMyRealmTestAjaxRequestSuppressed()
+        {
+            using (var server = new TestServer(WebHostBuilderHelper.CreateBuilder(o =>
+            {
+                o.Realm = "My realm";
+                o.SupressResponseHeaderWWWAuthenticateForAjaxRequests = true;
+            })))
+            {
+                using (HttpClient client = server.CreateClient())
+                {
+                    client.DefaultRequestHeaders.Add(Basic.BasicAuthenticationOptions.DefaultAjaxRequestHeaderName, Basic.BasicAuthenticationOptions.DefaultAjaxRequestHeaderValue);
+
+                    // Act
+                    HttpResponseMessage response = await client.GetAsync("api/test");
+
+                    // Assert
+                    AuthenticationHeaderValue wwwAuth = response.Headers.WwwAuthenticate.SingleOrDefault();
+
+                    Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode, "StatusCode != Unauthorized");
+                    Assert.IsNull(wwwAuth, "No header should be sent back on ajax request");
+                }
+            }
+        }
+
         #endregion
     }
 }