Unauthenticated REST response contains invalid `WWW-Authenticate` header

[blaugold]

Description

Unauthenticated REST responses contain an invalid WWW-Authenticate header. This is a problem for HTTP clients that implement the general HTTP authentication framework. In my case, Dart's HttpClient chokes on the invalid header value and throws an exception instead of continuing to process the response.

Steps to Reproduce

1. Start a nakama instance
2. Make an unauthenticated request against the REST API: curl -v -X POST localhost:7350/v2/session/logout

Expected Result

The response should either contain no WWW-Authenticate header, or one that adheres to the specification, e.g. Basic realm=<realm>.

Actual Result

curl -v -X POST localhost:7350/v2/session/logout

* Host localhost:7350 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:7350...
* Connected to localhost (::1) port 7350
> POST /v2/session/logout HTTP/1.1
> Host: localhost:7350
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 401 Unauthorized
< Cache-Control: no-store, no-cache, must-revalidate
< Content-Type: application/json
< Vary: Accept-Encoding
< Www-Authenticate: Auth token required
< Date: Wed, 14 Aug 2024 16:26:10 GMT
< Content-Length: 44
< 
* Connection #0 to host localhost left intact
{"code":16, "message":"Auth token required"}%  

Your Environment

• Nakama: 3.23.0

[linear]

NK-590 Unauthenticated REST response contains invalid `WWW-Authenticate` header

[luchenkan]

I encountered the same problem.

[luchenkan]

private static readonly string nakamaApiUrl = "http://127.0.0.1:7350/v2/account/authenticate/device?create=true";
private static readonly string nakamaApiLogoutUrl = "http://127.0.0.1:7350/v2/session/logout";
private static readonly string nakamaApiKey = "defaultkey";
private static string nakamaAuthToken = "nakama.autoToken";

static async Task Main(string[] args)
{
	await AuthenticateDevice();
	await LogOut();
}

static async Task AuthenticateDevice()
{
	try
	{
		var authHeader = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{nakamaApiKey}:"));

		var client = new HttpClient();
		client.DefaultRequestHeaders.Add("Authorization", $"Basic {authHeader}");

		var postData = new { id = "someuniqueidentifier" };
		var json = Newtonsoft.Json.JsonConvert.SerializeObject(postData);
		var content = new StringContent(json, Encoding.UTF8, "application/json");

		var response = await client.PostAsync(nakamaApiUrl, content);

		if (response.IsSuccessStatusCode)
		{
			var responseContent = await response.Content.ReadAsStringAsync();
			var responseJson = JObject.Parse(responseContent);

			Console.WriteLine("Authentication successful.");
			Console.WriteLine($"Session Token: {responseJson["token"]}");
			if(responseJson.ContainsKey("token"))
				nakamaAuthToken = responseJson["token"].ToString();
		}
		else
		{
			Console.WriteLine($"Error authenticating device: {response.StatusCode}");
		}
	}
	catch (Exception ex)
	{
		Console.WriteLine($"Error occurred: {ex.Message}");
		Console.WriteLine("Please check the URL and network connection. If the issue persists, ensure the URL is correct and the server is running.");
	}
}

static async Task LogOut()
{
	try
	{
		var client = new HttpClient();
		client.DefaultRequestHeaders.Add("Authorization", $"Bearer {nakamaAuthToken}");

		var response = await client.PostAsync($"{nakamaApiLogoutUrl}", null);

		if (response.IsSuccessStatusCode)
		{
			var content = await response.Content.ReadAsStringAsync();
			var matches = JObject.Parse(content);
		}
		else
		{
			Console.WriteLine($"Error : {response.StatusCode}");
		}
	}
	catch (Exception ex)
	{
		Console.WriteLine($"Error occurred: {ex.Message}");
	}
}

The code above works fine.