[BUGFIX] Correct JSON response on unauthorized access exception (#151)

mabolek · web-flow · commit 10cf320fd83e · 2026-05-21T10:47:26.000-05:00
Unauthorized requests return a correct JSON response, also when the authorization header is missing or the method is wrong.
diff --git a/Classes/Authentication/HttpBackendUserAuthentication.php b/Classes/Authentication/HttpBackendUserAuthentication.php
@@ -61,14 +61,12 @@ public function getLoginFormData(ServerRequestInterface $request)
             );
         }
 
-        $authorizationHeader = $request->getHeader('authorization')[0]
-            ?? $request->getHeader('redirect_http_authorization')[0]
-            ?? '';
+        $authorizationHeader = $this->resolveAuthorizationHeader($request);
 
         [$scheme, $authorizationData] = GeneralUtility::trimExplode(' ', $authorizationHeader, true);
 
         if ($scheme === null) {
-            throw new InvalidArgumentException(
+            throw new UnauthorizedAccessException(
                 'No authorization scheme provided.',
                 $request
             );
@@ -109,9 +107,7 @@ public function getLoginFormData(ServerRequestInterface $request)
      */
     protected function authenticateBearerToken(ServerRequestInterface $request): void
     {
-        $authorizationHeader = $request->getHeader('authorization')[0]
-            ?? $request->getHeader('redirect_http_authorization')[0]
-            ?? '';
+        $authorizationHeader = $this->resolveAuthorizationHeader($request);
 
         [$scheme, $token] = GeneralUtility::trimExplode(' ', $authorizationHeader, true);
 
@@ -154,4 +150,19 @@ protected function getAuthServiceConfiguration(): array
 
         return $configuration;
     }
+
+    /**
+     * @param ServerRequestInterface $request
+     * @return string
+     * @throws UnauthorizedAccessException if no authorization scheme is provided.
+     */
+    protected function resolveAuthorizationHeader(ServerRequestInterface $request): string
+    {
+        return $request->getHeader('authorization')[0]
+            ?? $request->getHeader('redirect_http_authorization')[0]
+            ?? throw new UnauthorizedAccessException(
+                'No authorization scheme provided.',
+                $request
+            );
+    }
 }
diff --git a/Classes/Router/HttpRequestRouter.php b/Classes/Router/HttpRequestRouter.php
@@ -37,8 +37,6 @@ class HttpRequestRouter
      */
     public static function route(ServerRequestInterface $request): ResponseInterface
     {
-        self::initialize($request);
-
         $extensionConfiguration = GeneralUtility::makeInstance(ExtensionConfiguration::class);
 
         $entryPoint = substr(
@@ -54,6 +52,8 @@ public static function route(ServerRequestInterface $request): ResponseInterface
         );
 
         try {
+            self::initialize($request);
+
             if (($entryPointParts[0] ?? null) === 'authenticate') {
                 return GeneralUtility::makeInstance(
                     AuthenticateRequestHandler::class,
