Don't show auth form if username is not set

utils/http/servauth/servauth.go

@@ -7,36 +7,38 @@ import (
 
 func BasicAuth(handler http.Handler, username, password, realm string) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if realm == "" {
-			realm = "Please enter username and password"
-		}
+		if username != "" {
+			if realm == "" {
+				realm = "Please enter username and password"
+			}
 
-		u, p, ok := r.BasicAuth()
-		if !ok {
-			w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
-			w.WriteHeader(401)
-			if _, err := w.Write([]byte("Unauthorised\n")); err != nil {
-				log.Printf("%s\n", err.Error())
+			u, p, ok := r.BasicAuth()
+			if !ok {
+				w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
+				w.WriteHeader(401)
+				if _, err := w.Write([]byte("Unauthorised\n")); err != nil {
+					log.Printf("%s\n", err.Error())
+				}
+				return
 			}
-			return
-		}
 
-		if u != username {
-			w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
-			w.WriteHeader(401)
-			if _, err := w.Write([]byte("Unauthorised\n")); err != nil {
-				log.Printf("%s\n", err.Error())
+			if u != username {
+				w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
+				w.WriteHeader(401)
+				if _, err := w.Write([]byte("Unauthorised\n")); err != nil {
+					log.Printf("%s\n", err.Error())
+				}
+				return
 			}
-			return
-		}
 
-		if p != password {
-			w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
-			w.WriteHeader(401)
-			if _, err := w.Write([]byte("Unauthorised\n")); err != nil {
-				log.Printf("%s\n", err.Error())
+			if p != password {
+				w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
+				w.WriteHeader(401)
+				if _, err := w.Write([]byte("Unauthorised\n")); err != nil {
+					log.Printf("%s\n", err.Error())
+				}
+				return
 			}
-			return
 		}
 
 		handler.ServeHTTP(w, r)

utils/http/servauth/servauth_test.go

@@ -62,6 +62,39 @@ var _ = Describe("servauth", func() {
 			Expect(err).To(Succeed())
 			Expect(string(body)).To(Equal("Index"))
 		})
+
+		It("don't request credentials on empty username", func() {
+			srv.Close()
+			srv = httptest.NewServer(servauth.BasicAuth(getTestHandler(), "", "", ""))
+			client = srv.Client()
+
+			resp, err := client.Get(srv.URL + "/")
+			Expect(err).To(Succeed())
+			defer resp.Body.Close()
+
+			Expect(resp.StatusCode).To(Equal(http.StatusOK))
+
+			body, err := io.ReadAll(resp.Body)
+			Expect(err).To(Succeed())
+			Expect(string(body)).To(Equal("Index"))
+		})
+
+		It("request credentials on not empty username but empty password", func() {
+			srv.Close()
+			srv = httptest.NewServer(servauth.BasicAuth(getTestHandler(), "user", "", "msg"))
+			client = srv.Client()
+
+			resp, err := client.Get(srv.URL + "/")
+			Expect(err).To(Succeed())
+			defer resp.Body.Close()
+
+			Expect(resp.StatusCode).To(Equal(http.StatusUnauthorized))
+			Expect(resp.Header["Www-Authenticate"]).To(Equal([]string{`Basic realm="msg"`}))
+
+			body, err := io.ReadAll(resp.Body)
+			Expect(err).To(Succeed())
+			Expect(string(body)).To(Equal("Unauthorised\n"))
+		})
 	})
 })