Changed SessionBased authentication to send 401 for sub-requests

Implements #38

Author: thekid

ChangeLog.md

@@ -3,6 +3,11 @@ Web Authentication change log
 
 ## ?.?.? / ????-??-??
 
+## 7.0.0 / ????-??-??
+
+* Changed `SessionBased` authentication to send 401 for sub-requests (e.g.
+  images, fetch(), ...), implementing feature suggested in #38
+  (@thekid)
 * Merged PR #37: Refactor OAuth1 & OAuth2 flows, fixing possible flow error
   states and implifiying their implementation
   (@thekid)

src/main/php/web/auth/SessionBased.class.php

@@ -8,6 +8,7 @@
 /** @test web.auth.unittest.SessionBasedTest */
 class SessionBased extends Authentication {
   const TOKEN_LENGTH= 32;
+  const IS_NAVIGATION= ['navigate', null];
 
   private static $random;
   private $flow, $sessions, $lookup;
@@ -87,6 +88,15 @@ public function filter($req, $res, $invocation) {
 
     if (null === $user) {
 
+      // Only start authentication for top-level navigation, issuing 401 errors for
+      // sub-requests, e.g. to images or when using fetch from JavaScript to prevent
+      // serving non-sensical authentication redirects to these requests.
+      if (!in_array($req->header('Sec-Fetch-Mode'), self::IS_NAVIGATION)) {
+        $res->answer(401);
+        $res->send('Authentication required', 'text/plain');
+        return;
+      }
+
       // Authentication may require redirection in order to fulfill its job.
       // In this case, return early from this method w/o passing control on.
       if (null === ($result= $this->flow->authenticate($req, $res, $session))) return;

src/test/php/web/auth/unittest/SessionBasedTest.class.php

@@ -1,7 +1,7 @@
 <?php namespace web\auth\unittest;
 
 use lang\IllegalStateException;
-use test\{Assert, Test};
+use test\{Assert, Test, Values};
 use web\auth\{Flow, SessionBased};
 use web\io\{TestInput, TestOutput};
 use web\session\{ForTesting, ISession};
@@ -50,9 +50,32 @@ public function redirects_to_sso() {
       throw new IllegalStateException('Should not be reached');
     }));
 
+    Assert::equals(302, $res->status());
     Assert::equals('https://sso.example.com/', $res->headers()['Location']);
   }
 
+  #[Test, Values(['navigate', null])]
+  public function redirects_for_top_level_requests($mode) {
+    $auth= new SessionBased($this->authenticate(null), new ForTesting());
+    $res= $this->handle(['Sec-Fetch-Mode' => $mode], $auth->required(function($req, $res) use(&$user) {
+      throw new IllegalStateException('Should not be reached');
+    }));
+
+    Assert::equals(302, $res->status());
+    Assert::equals('https://sso.example.com/', $res->headers()['Location']);
+  }
+
+  #[Test, Values(['cors', 'no-cors', 'same-origin', 'websocket'])]
+  public function sends_401_for_subrequests($mode) {
+    $auth= new SessionBased($this->authenticate(null), new ForTesting());
+    $res= $this->handle(['Sec-Fetch-Mode' => $mode], $auth->required(function($req, $res) use(&$user) {
+      throw new IllegalStateException('Should not be reached');
+    }));
+
+    Assert::equals(401, $res->status());
+    Assert::equals('Authentication required', $res->output()->body());
+  }
+
   #[Test]
   public function required() {
     $sessions= new ForTesting();