Merge pull request #70 from appbaseio/fix/user-management

feat: update error messages + add response header for 401 errors

middleware/ratelimiter/ratelimiter.go

@@ -86,6 +86,7 @@ func (rl *Ratelimiter) rateLimit(h http.HandlerFunc) http.HandlerFunc {
 			// limit on Categories per second
 			categoryLimit, err := reqPermission.GetLimitFor(*reqCategory)
 			if err != nil {
+				w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 				util.WriteBackError(w, err.Error(), http.StatusUnauthorized)
 				return
 			}

middleware/validate/acl.go

@@ -48,6 +48,7 @@ func validateACL(h http.HandlerFunc) http.HandlerFunc {
 
 		if !ok {
 			msg := fmt.Sprintf(`credentials cannot access "%s" acl`, reqACL.String())
+			w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 			util.WriteBackError(w, msg, http.StatusUnauthorized)
 			return
 		}

middleware/validate/category.go

@@ -48,6 +48,7 @@ func validateCategory(h http.HandlerFunc) http.HandlerFunc {
 
 		if !ok {
 			msg := fmt.Sprintf(`credential can't access "%s" category`, reqCategory.String())
+			w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 			util.WriteBackError(w, msg, http.StatusUnauthorized)
 			return
 		}

middleware/validate/expiry.go

@@ -45,6 +45,7 @@ func validateExpiry(h http.HandlerFunc) http.HandlerFunc {
 
 			if expired {
 				msg := fmt.Sprintf("permission with username=%s is expired", reqPermission.Username)
+				w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 				util.WriteBackError(w, msg, http.StatusUnauthorized)
 				return
 			}

middleware/validate/indices.go

@@ -48,6 +48,7 @@ func indices(h http.HandlerFunc) http.HandlerFunc {
 				return
 			}
 			if !ok {
+				w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 				util.WriteBackError(w, "credentials cannot access cluster level routes", http.StatusUnauthorized)
 				return
 			}
@@ -61,6 +62,7 @@ func indices(h http.HandlerFunc) http.HandlerFunc {
 			}
 			if !ok {
 				msg := fmt.Sprintf("credentials cannot access %v index/indices", reqIndices)
+				w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 				util.WriteBackError(w, msg, http.StatusUnauthorized)
 				return
 			}

middleware/validate/op.go

@@ -48,6 +48,7 @@ func operation(h http.HandlerFunc) http.HandlerFunc {
 
 		if !ok {
 			msg := fmt.Sprintf(`credential cannot perform "%v" operation`, reqOp.String())
+			w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 			util.WriteBackError(w, msg, http.StatusUnauthorized)
 			return
 		}

middleware/validate/referers.go

@@ -59,6 +59,7 @@ func referers(h http.HandlerFunc) http.HandlerFunc {
 			}
 
 			if !validated {
+				w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 				util.WriteBackError(w, "permission doesn't have required referers", http.StatusUnauthorized)
 				return
 			}

middleware/validate/sources.go

@@ -36,6 +36,7 @@ func sources(h http.HandlerFunc) http.HandlerFunc {
 			reqIP := iplookup.FromRequest(req)
 			if reqIP == "" {
 				msg := fmt.Sprintf(`failed to recognize request ip: "%s"`, reqIP)
+				w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 				util.WriteBackError(w, msg, http.StatusUnauthorized)
 				return
 			}
@@ -70,6 +71,7 @@ func sources(h http.HandlerFunc) http.HandlerFunc {
 			if !validated {
 				msg := fmt.Sprintf(`permission with username %s doesn't have required sources. reqIP = %s, sources = %s`,
 					reqPermission.Username, reqIP, allowedSources)
+				w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 				util.WriteBackError(w, msg, http.StatusUnauthorized)
 				return
 			}

plugins/auth/middleware.go

@@ -106,6 +106,7 @@ func (a *Auth) basicAuth(h http.HandlerFunc) http.HandlerFunc {
 			} else {
 				msg = fmt.Sprintf("Unable to parse JWT: %v", err)
 			}
+			w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 			util.WriteBackError(w, msg, http.StatusUnauthorized)
 			return
 		}
@@ -118,10 +119,12 @@ func (a *Auth) basicAuth(h http.HandlerFunc) http.HandlerFunc {
 				} else if u, ok := claims["role"]; ok {
 					role = u.(string)
 				} else {
+					w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 					util.WriteBackError(w, fmt.Sprintf("Invalid JWT"), http.StatusUnauthorized)
 					return
 				}
 			} else {
+				w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 				util.WriteBackError(w, fmt.Sprintf("Invalid JWT"), http.StatusUnauthorized)
 				return
 			}
@@ -133,6 +136,7 @@ func (a *Auth) basicAuth(h http.HandlerFunc) http.HandlerFunc {
 			if err != nil || obj == nil {
 				msg := fmt.Sprintf("No API credentials match with provided role: %s", role)
 				log.Errorln(logTag, ":", err)
+				w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 				util.WriteBackError(w, msg, http.StatusUnauthorized)
 				return
 			}
@@ -141,12 +145,14 @@ func (a *Auth) basicAuth(h http.HandlerFunc) http.HandlerFunc {
 			if err != nil || obj == nil {
 				msg := fmt.Sprintf("No API credentials match with provided username: %s", username)
 				log.Errorln(logTag, ":", err)
+				w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 				util.WriteBackError(w, msg, http.StatusUnauthorized)
 				return
 			}
 		}
 
 		var authenticated bool
+		var errorMsg = "invalid credentials provided"
 
 		// since we are able to fetch a result with the given credentials, we
 		// do not need to validate the username and password.
@@ -156,6 +162,7 @@ func (a *Auth) basicAuth(h http.HandlerFunc) http.HandlerFunc {
 				// if the request is made to elasticsearch using user credentials, then the user has to be an admin
 				reqUser := obj.(*user.User)
 				if hasBasicAuth && bcrypt.CompareHashAndPassword([]byte(reqUser.Password), []byte(password)) != nil {
+					w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 					util.WriteBackError(w, "invalid password", http.StatusUnauthorized)
 					return
 				}
@@ -165,6 +172,10 @@ func (a *Auth) basicAuth(h http.HandlerFunc) http.HandlerFunc {
 					authenticated = true
 				}
 
+				if !authenticated {
+					errorMsg = "only admin users are allowed to access elasticsearch"
+				}
+
 				// cache the user
 				if _, ok := a.cachedCredential(username); !ok {
 					a.cacheCredential(username, reqUser)
@@ -179,12 +190,15 @@ func (a *Auth) basicAuth(h http.HandlerFunc) http.HandlerFunc {
 			{
 				reqPermission := obj.(*permission.Permission)
 				if hasBasicAuth && reqPermission.Password != password {
+					w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 					util.WriteBackError(w, "invalid password", http.StatusUnauthorized)
 					return
 				}
 
 				if reqCategory.IsFromES() {
 					authenticated = true
+				} else {
+					errorMsg = "credential is only allowed to access elasticsearch"
 				}
 
 				// cache the permission
@@ -202,7 +216,8 @@ func (a *Auth) basicAuth(h http.HandlerFunc) http.HandlerFunc {
 		}
 
 		if !authenticated {
-			util.WriteBackError(w, "invalid credentials provided", http.StatusUnauthorized)
+			w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
+			util.WriteBackError(w, errorMsg, http.StatusUnauthorized)
 			return
 		}
 

plugins/users/middleware.go

@@ -2,9 +2,10 @@ package users
 
 import (
 	"fmt"
-	log "github.com/sirupsen/logrus"
 	"net/http"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/appbaseio/arc/middleware"
 	"github.com/appbaseio/arc/middleware/classify"
 	"github.com/appbaseio/arc/middleware/validate"
@@ -68,6 +69,7 @@ func isAdmin(h http.HandlerFunc) http.HandlerFunc {
 
 		if !*reqUser.IsAdmin {
 			msg := fmt.Sprintf(`user with "username"="%s" is not an admin`, reqUser.Username)
+			w.Header().Set("www-authenticate", "Basic realm=\"Authentication Required\"")
 			util.WriteBackError(w, msg, http.StatusUnauthorized)
 			return
 		}