refactor: remove Challenge() method; use w.Header().Set("WWW-Authenticate", ...) directly

Co-authored-by: coolaj86 <122831+coolaj86@users.noreply.github.com>
2026-03-02 15:47:59 +00:00 · 2026-03-02 08:10:17 +00:00 · 2026-03-02 08:10:17 +00:00 · 9b79800b07
commit 9b79800b07
parent 0b05b30129
4 changed files with 24 additions and 18 deletions
--- a/auth/request.go
+++ b/auth/request.go
@ -37,15 +37,22 @@ type RequestAuthenticator struct {
 	// e.g. []string{"access_token", "token"}.
 	TokenQueryParams []string

-	// WWWAuthenticate is the value sent in the WWW-Authenticate response header
-	// when Challenge is called. An empty string disables the header.
+	// WWWAuthenticate is the suggested value for the WWW-Authenticate response
+	// header. Set it on the response before writing a 401 Unauthorized so that
+	// clients know which auth scheme to use. An empty string means no header.
 	// NewRequestAuthenticator sets this to "Basic".
+	//
+	// Example:
+	//
+	//	if ra.WWWAuthenticate != "" {
+	//		w.Header().Set("WWW-Authenticate", ra.WWWAuthenticate)
+	//	}
 	WWWAuthenticate string
 }

 // NewRequestAuthenticator returns a RequestAuthenticator with sane defaults:
 // Basic Auth enabled, Bearer/Token Authorization schemes, common API-key
-// headers, access_token/token query params, and WWW-Authenticate: Basic.
+// headers, access_token/token query params, and WWWAuthenticate "Basic".
 func NewRequestAuthenticator() *RequestAuthenticator {
 	return &RequestAuthenticator{
 		AuthenticateBasic:    true,
@ -56,15 +63,6 @@ func NewRequestAuthenticator() *RequestAuthenticator {
 	}
 }

-// Challenge sets the WWW-Authenticate response header to ra.WWWAuthenticate
-// when it is non-empty. Call this before writing a 401 Unauthorized response
-// so that clients know which auth scheme to use.
-func (ra *RequestAuthenticator) Challenge(w http.ResponseWriter) {
-	if ra.WWWAuthenticate != "" {
-		w.Header().Set("WWW-Authenticate", ra.WWWAuthenticate)
-	}
-}
-
 // Authenticate extracts credentials from r in this order:
 //  1. Basic Auth (Authorization: Basic …)
 //  2. Authorization: <scheme> <token> (filtered by AuthorizationSchemes)
--- a/auth/request_example_test.go
+++ b/auth/request_example_test.go
@ -17,8 +17,8 @@ func (exampleCreds) Authenticate(username, password string) (auth.BasicPrinciple
 // ExampleRequestAuthenticator shows the typical usage pattern.
 // Build a RequestAuthenticator once (at startup), attach your credential
 // store as the Authenticator, then call Authenticate in each handler.
-// Call Challenge before writing a 401 so the browser knows which scheme
-// to offer.
+// Set the WWW-Authenticate header before writing a 401 so the browser
+// knows which scheme to offer.
 func ExampleRequestAuthenticator() {
 	ra := auth.NewRequestAuthenticator()
 	ra.Authenticator = exampleCreds{} // swap in your real credential store
@ -26,7 +26,9 @@ func ExampleRequestAuthenticator() {
 	http.HandleFunc("/api/", func(w http.ResponseWriter, r *http.Request) {
 		principle, err := ra.Authenticate(r)
 		if err != nil {
-			ra.Challenge(w) // sets WWW-Authenticate: Basic
+			if ra.WWWAuthenticate != "" {
+				w.Header().Set("WWW-Authenticate", ra.WWWAuthenticate)
+			}
 			http.Error(w, "Unauthorized", http.StatusUnauthorized)
 			return
 		}
--- a/cmd/auth-proxy/main.go
+++ b/cmd/auth-proxy/main.go
@ -402,7 +402,9 @@ func (cli *MainConfig) newAuthProxyHandler(targetURL string) http.Handler {

 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if !cli.authorize(r) {
-			cli.ra.Challenge(w)
+			if cli.ra.WWWAuthenticate != "" {
+				w.Header().Set("WWW-Authenticate", cli.ra.WWWAuthenticate)
+			}
 			http.Error(w, "Unauthorized", http.StatusUnauthorized)
 			return
 		}
--- a/cmd/smsapid/main.go
+++ b/cmd/smsapid/main.go
@ -146,13 +146,17 @@ func requireSMSPermission(permission string) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if smsAuth == nil {
-				smsRequestAuth.Challenge(w)
+				if smsRequestAuth.WWWAuthenticate != "" {
+					w.Header().Set("WWW-Authenticate", smsRequestAuth.WWWAuthenticate)
+				}
 				http.Error(w, "Unauthorized", http.StatusUnauthorized)
 				return
 			}
 			cred, err := smsRequestAuth.Authenticate(r)
 			if err != nil || !hasSMSPermission(cred.Permissions(), permission) {
-				smsRequestAuth.Challenge(w)
+				if smsRequestAuth.WWWAuthenticate != "" {
+					w.Header().Set("WWW-Authenticate", smsRequestAuth.WWWAuthenticate)
+				}
 				http.Error(w, "Unauthorized", http.StatusUnauthorized)
 				return
 			}