Fix typo in basic auth realm header name
🌲 Context
For some Package managers such as nuget
, their authentication workflow relies on a 401 unauthenticated
response with a proper WWW-Authenticate
header.
During the upgrade to puma 5.1.1, we observed that this header could be missing from the 401 unauthenticated
response.
It turns out that the header name was malformed.
Such invalid header name would be filtered out and without this header, nuget
can stop working
🔬 What does this MR do?
- Fix the
WWW-Authenticate
header name used in the package helpers during basic authentication.- Make it similar to the examples in mozilla documentation.
⛰ Screenshots (strongly suggested)
Without the proper header
$ nuget push bin/Release/bananas.1.3.7.nupkg -source gl_pru
WARNING: No API Key was provided and no API Key could be found for 'http://gdk.test:8000/api/v4/projects/1/packages/nuget'. To save an API Key for a source use the 'setApiKey' command.
Pushing bananas.1.3.7.nupkg to 'http://gdk.test:8000/api/v4/projects/1/packages/nuget'...
PUT http://gdk.test:8000/api/v4/projects/1/packages/nuget/
Using credentials from config. UserName: root
Please provide credentials for: http://gdk.test:8000/api/v4/projects/1/packages/nuget/index.json
With the proper header name
$ nuget push bin/Release/bananas.1.3.7.nupkg -source gl_pru
WARNING: No API Key was provided and no API Key could be found for 'http://gdk.test:8000/api/v4/projects/1/packages/nuget'. To save an API Key for a source use the 'setApiKey' command.
Pushing bananas.1.3.7.nupkg to 'http://gdk.test:8000/api/v4/projects/1/packages/nuget'...
PUT http://gdk.test:8000/api/v4/projects/1/packages/nuget/
Created http://gdk.test:8000/api/v4/projects/1/packages/nuget/ 20701ms
Your package was pushed.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Edited by David Fernandez