Merge pull request #721 from skateman/sui-ajax-auth

Distinguish between SUI AJAX basic auth and regular basic auth (cherry picked from commit a865ab3) Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1785357
ManageIQ · Dec 19, 2019 · 73229ba · 73229ba
1 parent 0df1575
commit 73229ba
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/app/controllers/api/base_controller/authentication.rb b/app/controllers/api/base_controller/authentication.rb
@@ -11,7 +11,8 @@ def auth_mechanism
         elsif request.headers["HTTP_AUTHORIZATION"] && params[:requester_type] == 'ui'
           :basic_ui
         elsif request.headers["HTTP_AUTHORIZATION"]
-          :basic
+          # For AJAX requests the basic auth type should be distinguished
+          request.headers['X-REQUESTED-WITH'] == 'XMLHttpRequest' ? :basic_async : :basic
         else
           # no attempt at authentication, usually falls back to :basic
           nil
@@ -27,7 +28,7 @@ def require_api_user_or_token
           authenticate_with_system_token(request.headers[HttpHeaders::MIQ_TOKEN])
         when :token
           authenticate_with_user_token(request.headers[HttpHeaders::AUTH_TOKEN])
-        when :basic, :basic_ui, nil
+        when :basic, :basic_ui, :basic_async, nil
           success = authenticate_with_http_basic do |u, p|
             begin
               timeout = ::Settings.api.authentication_timeout.to_i_with_method
@@ -44,7 +45,7 @@ def require_api_user_or_token
         api_log_error("AuthenticationError: #{e.message}")
         response.headers["Content-Type"] = "application/json"
         case auth_mechanism
-        when :system, :token, :basic_ui
+        when :system, :token, :basic_ui, :basic_async
           render :status => 401, :json => ErrorSerializer.new(:unauthorized, e).serialize(true).to_json
         when :basic, nil
           request_http_basic_authentication("Application", ErrorSerializer.new(:unauthorized, e).serialize(true).to_json)