From 8d187a82f50d8e4543516064236e8053d1d0e2b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= <jfd@butonic.de>
Date: Wed, 30 Sep 2020 11:04:20 +0200
Subject: [PATCH] always return 401 when auth fails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
---
 proxy/pkg/middleware/account_uuid.go | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/proxy/pkg/middleware/account_uuid.go b/proxy/pkg/middleware/account_uuid.go
index 0838f99e5c9..7d3611fd228 100644
--- a/proxy/pkg/middleware/account_uuid.go
+++ b/proxy/pkg/middleware/account_uuid.go
@@ -93,12 +93,15 @@ func AccountUUID(opts ...Option) func(next http.Handler) http.Handler {
 				if opt.EnableBasicAuth && ok {
 					l.Warn().Msg("basic auth enabled, use only for testing or development")
 					account, status = getAccount(l, opt.AccountsClient, fmt.Sprintf("login eq '%s' and password eq '%s'", strings.ReplaceAll(login, "'", "''"), strings.ReplaceAll(password, "'", "''")))
-					if status != 0 {
-						w.WriteHeader(status)
+					if status == 0 {
+						// fake claims for the subsequent code flow
+						claims = &oidc.StandardClaims{
+							Iss: opt.OIDCIss,
+						}
+					} else {
+						// tell client to reauthenticate
+						w.WriteHeader(http.StatusUnauthorized)
 						return
-					}					// fake claims for the subsequent code flow
-					claims = &oidc.StandardClaims{
-						Iss: opt.OIDCIss,
 					}
 				} else {
 					next.ServeHTTP(w, r)