Set headers before content

internal/webserver/authenticators/pam.go

@@ -118,15 +118,17 @@ func (t *Pam) AuthorisationAPI(w http.ResponseWriter, r *http.Request) {
 	challenge, err := user.Authenticate(clientTunnelIp.String(), t.Type(), t.AuthoriseFunc(w, r))
 
 	msg, status := resultMessage(err)
+	if err != nil {
+		w.Header().Set("WAG-CHALLENGE", challenge)
+	}
+
 	jsonResponse(w, msg, status)
 
 	if err != nil {
 		log.Println(user.Username, clientTunnelIp, "failed to authorise: ", err.Error())
 		return
 	}
 
-	w.Header().Set("WAG-CHALLENGE", challenge)
-
 	log.Println(user.Username, clientTunnelIp, "authorised")
 
 }

internal/webserver/authenticators/totp.go

@@ -176,6 +176,9 @@ func (t *Totp) AuthorisationAPI(w http.ResponseWriter, r *http.Request) {
 	}
 
 	challenge, err := user.Authenticate(clientTunnelIp.String(), t.Type(), t.AuthoriseFunc(w, r))
+	if err != nil {
+		w.Header().Set("WAG-CHALLENGE", challenge)
+	}
 
 	msg, status := resultMessage(err)
 	jsonResponse(w, msg, status)
@@ -186,8 +189,6 @@ func (t *Totp) AuthorisationAPI(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	w.Header().Set("WAG-CHALLENGE", challenge)
-
 	log.Println(user.Username, clientTunnelIp, "authorised")
 
 }

internal/webserver/authenticators/webauthn.go

@@ -158,15 +158,18 @@ func (wa *Webauthn) RegistrationAPI(w http.ResponseWriter, r *http.Request) {
 			})
 
 		msg, status := resultMessage(err)
+
+		if err != nil {
+			w.Header().Set("WAG-CHALLENGE", challenge)
+		}
+
 		jsonResponse(w, msg, status) // Send back an error message before we do the server side of handling it
 
 		if err != nil {
 			log.Println(user.Username, clientTunnelIp, "failed to authorise: ", err.Error())
 			return
 		}
 
-		w.Header().Set("WAG-CHALLENGE", challenge)
-
 		log.Println(user.Username, clientTunnelIp, "authorised")
 
 		log.Println(user.Username, clientTunnelIp, "registered new webauthn key")