send WWW-Authenticate where it's possible

2023-06-27 21:21:06 +02:00 · 2023-06-27 21:21:06 +02:00 · 1f38d624c0
parent deb9ba146f
commit 1f38d624c0
1 changed files with 21 additions and 1 deletions
--- a/packages/backend/test/e2e/oauth.ts
+++ b/packages/backend/test/e2e/oauth.ts
@ -660,7 +660,27 @@ describe('OAuth', () => {
 		// invalid for other reasons.  The resource SHOULD respond with
 		// the HTTP 401 (Unauthorized) status code."
 		assert.strictEqual(createResponse.status, 401);
-		assert.ok(createResponse.headers.has('WWW-Authenticate'));
+
+		let wwwAuthenticate = createResponse.headers.get('WWW-Authenticate');
+		assert.ok(wwwAuthenticate?.startsWith('Bearer realm="Misskey", error="invalid_token"'));
+
+		// Pattern 3: No token
+		createResponse = await relativeFetch('api/notes/create', {
+			method: 'POST',
+			headers: {
+				'Content-Type': 'application/json',
+			},
+			body: JSON.stringify({ text: 'test' }),
+		});
+		wwwAuthenticate = createResponse.headers.get('WWW-Authenticate');
+
+		// https://datatracker.ietf.org/doc/html/rfc6750.html#section-3.1
+		// "If the request lacks any authentication information (e.g., the client
+		// was unaware that authentication is necessary or attempted using an
+		// unsupported authentication method), the resource server SHOULD NOT
+		// include an error code or other error information."
+		assert.strictEqual(createResponse.status, 401);
+		assert.strictEqual(wwwAuthenticate, 'Bearer realm="Misskey"');
 	});

 	// https://datatracker.ietf.org/doc/html/rfc6749.html#section-3.1.2.4