3.3.1: clean WWW-Authenticate header in HTTP 200 responses

zandbelt · zandbelt · commit a16b46d090e1 · 2023-01-21T20:20:06.000+01:00
- clean WWW-Authenticate header in main request as well if this is a subrequest; closes #42; this avoids the WWW-Authenticate header to be sent in HTTP 200 responses; thanks @ErmakovDmitriy - depend on liboauth2 1.4.5.3 - release 3.3.1 Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,12 @@
+01/21/2023
+- clean WWW-Authenticate header in main request as well if this is a subrequest; closes #42
+  this avoids the WWW-Authenticate header to be sent in HTTP 200 responses; thanks @ErmakovDmitriy
+- depend on liboauth2 1.4.5.3
+- release 3.3.1
+
 12/06/2022
 - change Makefile install procedure
-- depend on liboauth 1.4.5.2
+- depend on liboauth2 1.4.5.2
 - release 3.3.0
 
 07/27/2022
@@ -14,6 +20,8 @@
 - depend on liboauth2 1.4.2.1 with fixed iat slack validation defaults
 - set WWW-Authenticate environment variable to allow for complex Require logic; see 
   https://github.com/zmartzone/mod_auth_openidc/discussions/572
+  example:
+  Header always append WWW-Authenticate %{OAUTH2_BEARER_SCOPE_ERROR}e "expr=(%{REQUEST_STATUS} == 401) && (-n reqenv('OAUTH2_BEARER_SCOPE_ERROR'))"  
 - release 3.2.2
 
 02/01/2021
diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_oauth2],[3.3.0],[hans.zandbelt@zmartzone.eu])
+AC_INIT([mod_oauth2],[3.3.1],[hans.zandbelt@zmartzone.eu])
 
 AM_INIT_AUTOMAKE([foreign no-define subdir-objects])
 AC_CONFIG_MACRO_DIRS([m4])
@@ -27,11 +27,11 @@ AC_SUBST(APR_LIBS)
 AC_SUBST(APACHE_CFLAGS)
 AC_ARG_VAR(APXS_OPTS, [additional command line options to pass to apxs])
 
-PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.4.5.2])
+PKG_CHECK_MODULES(OAUTH2, [liboauth2 >= 1.4.5.3])
 AC_SUBST(OAUTH2_CFLAGS)
 AC_SUBST(OAUTH2_LIBS)
 
-PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.4.5.2])
+PKG_CHECK_MODULES(OAUTH2_APACHE, [liboauth2_apache >= 1.4.5.3])
 AC_SUBST(OAUTH2_APACHE_CFLAGS)
 AC_SUBST(OAUTH2_APACHE_LIBS)
 
diff --git a/src/mod_oauth2.c b/src/mod_oauth2.c
@@ -229,6 +229,9 @@ oauth2_authz_checker(request_rec *r, const char *require_args,
 				      OAUTH2_HTTP_HDR_WWW_AUTHENTICATE);
 		apr_table_unset(r->err_headers_out,
 				OAUTH2_HTTP_HDR_WWW_AUTHENTICATE);
+		if (r->main)
+			apr_table_unset(r->main->err_headers_out,
+					OAUTH2_HTTP_HDR_WWW_AUTHENTICATE);
 		oauth2_debug(ctx->log,
 			     "setting environment variable %s to \"%s\" for "
 			     "usage in mod_headers",
