BasicAuth fails in scary ways when using Classic() + static content

[geofffranks]

Based on the readme, I should be able to do something like:

m := martini.Classic()
m.Use(auth.Basic("username", "secretpassword"))
m.Run()

However, when serving static files via "./public" under Classic mode, none of the static files are authenticated, unless their content does not exist (all content that exists is not subject to basic auth).

You can verify the tests by modifying them like this:

diff --git a/basic_test.go b/basic_test.go
index b4f057b..616d756 100644
--- a/basic_test.go
+++ b/basic_test.go
@@ -13,11 +13,14 @@ func Test_BasicAuth(t *testing.T) {

        auth := "Basic " + base64.StdEncoding.EncodeToString([]byte("foo:bar"))

-       m := martini.New()
+       m := martini.Classic()
        m.Use(Basic("foo", "bar"))
        m.Use(func(res http.ResponseWriter, req *http.Request, u User) {
                res.Write([]byte("hello " + u))
        })
+       m.Get("/foo", func() string {
+               return "bar"
+       })

        r, _ := http.NewRequest("GET", "foo", nil)

If the "public/foo" file exists, tests fail with this:

$ go test
[martini] Started GET foo for
[martini] [Static] Serving foo
[martini] Completed 200 OK in 5.934997ms
[martini] Started GET foo for
[martini] [Static] Serving foo
[martini] Completed 200 OK in 43.234µs
--- FAIL: Test_BasicAuth (0.01s)
    basic_test.go:30: Response not 401
    basic_test.go:46: Auth failed, got:
FAIL
exit status 1
FAIL    github.com/martini-contrib/auth 0.013s

If "public/foo" does not exist, tests pass:

$ go test
[martini] Started GET foo for
[martini] Completed 401 Unauthorized in 92.823µs
[martini] Started GET foo for
[martini] Completed 200 OK in 15.74µs
PASS
ok      github.com/martini-contrib/auth 0.007s

[codegangsta]

This is as designed. Things in the public folder should be treated as
public. If you want static files that are authenticated then you should add
a static middleware after the BasicAuth middleware

On Thu, Jun 11, 2015, 11:22 AM Geoff Franks notifications@github.com
wrote:

Based on the readme, I should be able to do something like:

m := martini.Classic()
m.Use(auth.Basic("username", "secretpassword"))
m.Run()

However, when serving static files via "./public" under Classic mode, none
of the static files are authenticated, unless their content does not exist
(all content that exists is not subject to basic auth).

You can verify the tests by modifying them like this:

diff --git a/basic_test.go b/basic_test.go
index b4f057b..616d756 100644
--- a/basic_test.go
+++ b/basic_test.go
@@ -13,11 +13,14 @@ func Test_BasicAuth(t *testing.T) {

    auth := "Basic " + base64.StdEncoding.EncodeToString([]byte("foo:bar"))

•   m := martini.New()
  

•   m := martini.Classic()
  m.Use(Basic("foo", "bar"))
  m.Use(func(res http.ResponseWriter, req *http.Request, u User) {
          res.Write([]byte("hello " + u))
  })
  

•   m.Get("/foo", func() string {
  

•           return "bar"
  

•   })
  
  r, _ := http.NewRequest("GET", "foo", nil)
  

If the "public/foo" file exists, tests fail with this:

$ go test
[martini] Started GET foo for
[martini] [Static] Serving foo
[martini] Completed 200 OK in 5.934997ms
[martini] Started GET foo for
[martini] [Static] Serving foo
[martini] Completed 200 OK in 43.234µs
--- FAIL: Test_BasicAuth (0.01s)
basic_test.go:30: Response not 401
basic_test.go:46: Auth failed, got:
FAIL
exit status 1
FAIL github.com/martini-contrib/auth 0.013s

If "public/foo" does not exist, tests pass:

$ go test
[martini] Started GET foo for
[martini] Completed 401 Unauthorized in 92.823µs
[martini] Started GET foo for
[martini] Completed 200 OK in 15.74µs
PASS
ok github.com/martini-contrib/auth 0.007s

—
Reply to this email directly or view it on GitHub
#19.

[geofffranks]

That should be made more apparent in the README then, as

func main() {
  m := martini.Classic()
  // authenticate every request
  m.Use(auth.Basic("username", "secretpassword"))
  m.Run()
}

makes it seem like every request to the app will then be authenticated.