Merge pull request #5787 from xaya/http-request-auth

Return 401 from RPC server for missing auth

electrum/daemon.py

@@ -259,6 +259,12 @@ class PayServer(Logger):
 class AuthenticationError(Exception):
     pass
 
+class AuthenticationInvalidOrMissing(AuthenticationError):
+    pass
+
+class AuthenticationCredentialsInvalid(AuthenticationError):
+    pass
+
 class Daemon(Logger):
 
     @profiler
@@ -302,23 +308,26 @@ class Daemon(Logger):
             return
         auth_string = headers.get('Authorization', None)
         if auth_string is None:
-            raise AuthenticationError('CredentialsMissing')
+            raise AuthenticationInvalidOrMissing('CredentialsMissing')
         basic, _, encoded = auth_string.partition(' ')
         if basic != 'Basic':
-            raise AuthenticationError('UnsupportedType')
+            raise AuthenticationInvalidOrMissing('UnsupportedType')
         encoded = to_bytes(encoded, 'utf8')
         credentials = to_string(b64decode(encoded), 'utf8')
         username, _, password = credentials.partition(':')
         if not (constant_time_compare(username, self.rpc_user)
                 and constant_time_compare(password, self.rpc_password)):
             await asyncio.sleep(0.050)
-            raise AuthenticationError('Invalid Credentials')
+            raise AuthenticationCredentialsInvalid('Invalid Credentials')
 
     async def handle(self, request):
         async with self.auth_lock:
             try:
                 await self.authenticate(request.headers)
-            except AuthenticationError:
+            except AuthenticationInvalidOrMissing:
+                return web.Response(headers={"WWW-Authenticate": "Basic realm=Electrum"},
+                                    text='Unauthorized', status=401)
+            except AuthenticationCredentialsInvalid:
                 return web.Response(text='Forbidden', status=403)
         request = await request.text()
         response = await jsonrpcserver.async_dispatch(request, methods=self.methods)