Fix WWW-Authenticate header when empty attributes

hapijs · Dec 5, 2023 · 2137697 · 2137697
1 parent d277413
commit 2137697
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 7 deletions.
diff --git a/lib/index.js b/lib/index.js
@@ -219,14 +219,14 @@ exports.unauthorized = function (message, scheme, attributes) {          // Or (
 
     // function (message, scheme, attributes)
 
-    let wwwAuthenticate = `${scheme}`;
+    let stringified = '';
 
     if (attributes) {
         if (typeof attributes === 'string') {
-            wwwAuthenticate += ' ' + Hoek.escapeHeaderAttribute(attributes);
+            stringified += Hoek.escapeHeaderAttribute(attributes);
         }
         else {
-            wwwAuthenticate += ' ' + Object.keys(attributes).map((name) => {
+            stringified += Object.keys(attributes).map((name) => {
 
                 const value = attributes[name] ?? '';
 
@@ -237,17 +237,17 @@ exports.unauthorized = function (message, scheme, attributes) {          // Or (
     }
 
     if (message) {
-        if (attributes) {
-            wwwAuthenticate += ',';
+        if (stringified) {
+            stringified += ', ';
         }
 
-        wwwAuthenticate += ` error="${Hoek.escapeHeaderAttribute(message)}"`;
+        stringified += `error="${Hoek.escapeHeaderAttribute(message)}"`;
     }
     else {
         err.isMissing = true;
     }
 
-    err.output.headers['WWW-Authenticate'] = wwwAuthenticate;
+    err.output.headers['WWW-Authenticate'] = stringified ? `${scheme} ${stringified}` : `${scheme}`;
     return err;
 };
 

diff --git a/test/index.js b/test/index.js
@@ -359,6 +359,13 @@ describe('Boom', () => {
             expect(err.output.headers['WWW-Authenticate']).to.equal('Test a="1", b="something", c="", d="0", error="boom"');
         });
 
+        it('returns a WWW-Authenticate header when passed a scheme and empty attributes', () => {
+
+            const err = Boom.unauthorized('boom', 'Test', {});
+            expect(err.output.statusCode).to.equal(401);
+            expect(err.output.headers['WWW-Authenticate']).to.equal('Test error="boom"');
+        });
+
         it('returns a WWW-Authenticate header from string input instead of object', () => {
 
             const err = Boom.unauthorized(null, 'Negotiate', 'VGhpcyBpcyBhIHRlc3QgdG9rZW4=');