added missing header and test

Signed-off-by: Neil South <neil.south@answerdigital.com>

Author: neildsouth

src/Authentication/Configurations/BasicAuthOptions.cs

@@ -1,4 +1,18 @@
-
+/*
+ * Copyright 2022 MONAI Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 
 using Microsoft.Extensions.Configuration;
 

src/Authentication/Middleware/BasicAuthorizationMiddleware.cs

@@ -22,6 +22,7 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Monai.Deploy.Security.Authentication.Configurations;
+using Monai.Deploy.Security.Authentication.Extensions;
 
 namespace Monai.Deploy.Security.Authentication.Middleware
 {
@@ -56,18 +57,21 @@ public async Task InvokeAsync(HttpContext httpContext)
             try
             {
                 var authHeader = AuthenticationHeaderValue.Parse(httpContext.Request.Headers["Authorization"]);
-                var credentialBytes = Convert.FromBase64String(authHeader.Parameter);
-                var credentials = Encoding.UTF8.GetString(credentialBytes).Split(':', 2);
-                var username = credentials[0];
-                var password = credentials[1];
-                if (string.Compare(username, _options.Value.BasicAuth.Id, false) is 0 &&
-                    string.Compare(password, _options.Value.BasicAuth.Password, false) is 0)
+                if (authHeader.Scheme == "Basic")
                 {
-                    var claims = new[] { new Claim("name", credentials[0]) };
-                    var identity = new ClaimsIdentity(claims, "Basic");
-                    var claimsPrincipal = new ClaimsPrincipal(identity);
-                    httpContext.User = claimsPrincipal;
-                    return;
+                    var credentialBytes = Convert.FromBase64String(authHeader.Parameter);
+                    var credentials = Encoding.UTF8.GetString(credentialBytes).Split(':', 2);
+                    var username = credentials[0];
+                    var password = credentials[1];
+                    if (string.Compare(username, _options.Value.BasicAuth.Id, false) is 0 &&
+                        string.Compare(password, _options.Value.BasicAuth.Password, false) is 0)
+                    {
+                        var claims = new[] { new Claim("name", credentials[0]) };
+                        var identity = new ClaimsIdentity(claims, "Basic");
+                        var claimsPrincipal = new ClaimsPrincipal(identity);
+                        httpContext.User = claimsPrincipal;
+                        return;
+                    }
                 }
             }
             catch (Exception ex)

src/Authentication/Tests/EndpointAuthorizationMiddlewareTest.cs

@@ -152,7 +152,7 @@ public async Task GivenConfigurationFileWithBasicConfigured_WhenUserIsNotAuthent
         }
 
         [Fact]
-        public async Task GivenConfigurationFileWithBasicConfigured_WhenUserIsAuthenticated_ExpectToDenyRequest()
+        public async Task GivenConfigurationFileWithBasicConfigured_WhenUserIsAuthenticated_ExpectToAllowRequest()
         {
             using var host = await new HostBuilder().ConfigureWebHost(SetupWebServer("test.basic.json")).StartAsync().ConfigureAwait(false);
 
@@ -165,6 +165,20 @@ public async Task GivenConfigurationFileWithBasicConfigured_WhenUserIsAuthentica
 
             Assert.Equal(HttpStatusCode.OK, responseMessage.StatusCode);
         }
+        [Fact]
+        public async Task GivenConfigurationFileWithBasicConfigured_WhenHeaderIsInvalid_ExpectToDenyRequest()
+        {
+            using var host = await new HostBuilder().ConfigureWebHost(SetupWebServer("test.basic.json")).StartAsync().ConfigureAwait(false);
+
+            var server = host.GetTestServer();
+            server.BaseAddress = new Uri("https://example.com/");
+
+            var client = server.CreateClient();
+            client.DefaultRequestHeaders.Add("Authorization", $"BasicBad {Convert.ToBase64String(Encoding.UTF8.GetBytes("user:pass"))}");
+            var responseMessage = await client.GetAsync("api/Test").ConfigureAwait(false);
+
+            Assert.Equal(HttpStatusCode.Unauthorized, responseMessage.StatusCode);
+        }
 
         private static Action<IWebHostBuilder> SetupWebServer(string configFile) => webBuilder =>
         {