From 48af91c97678f4c5361d9b7e7aa0e8686df1eaf0 Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 13 Oct 2025 15:20:04 -0700 Subject: [PATCH] Return unauthorized if header auth is the only one --- messages/en-US.json | 2 +- server/routers/badger/verifySession.ts | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/messages/en-US.json b/messages/en-US.json index 01047ecd..f7be36b6 100644 --- a/messages/en-US.json +++ b/messages/en-US.json @@ -1754,7 +1754,7 @@ "resourceHeaderAuthSetup": "Header Authentication set successfully", "resourceHeaderAuthSetupDescription": "Header authentication has been successfully set.", "resourceHeaderAuthSetupTitle": "Set Header Authentication", - "resourceHeaderAuthSetupTitleDescription": "Set the basic auth credentials (username and password) to protect this resource with HTTP Header Authentication. Leave both fields blank to remove existing header authentication.", + "resourceHeaderAuthSetupTitleDescription": "Set the basic auth credentials (username and password) to protect this resource with HTTP Header Authentication. Access it using the format https://username:password@resource.example.com", "resourceHeaderAuthSubmit": "Set Header Authentication", "actionSetResourceHeaderAuth": "Set Header Authentication", "enterpriseEdition": "Enterprise Edition", diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts index 4921d43f..b1692dce 100644 --- a/server/routers/badger/verifySession.ts +++ b/server/routers/badger/verifySession.ts @@ -314,6 +314,11 @@ export async function verifyResourceSession( logger.debug("Resource allowed because header auth is valid"); return allowed(res); } + + // if there are no other auth methods we need to return unauthorized here + if (!sso && !pincode && !password && !resource.emailWhitelistEnabled) { + return notAllowed(res); + } } if (!sessions) {