From ec333a7a3384e274c27fe9e38312012c0b1628fd Mon Sep 17 00:00:00 2001
From: Christopher Gebhardt <chr33z@gmail.com>
Date: Fri, 22 Jul 2022 10:26:07 +0200
Subject: [PATCH] fix: Prevent invalid authorization headers from accessing the
 API

The API is secured by this authorization filter that should prevent access to the API when the auhorization header is invalid. Instead the filter just set the status to 403, but delivered the data anyway.

This commit fixes this by explicitly setting the result to an UnauthorizedResult, which prevents access to the API.

#495
---
 Server/Auth/ApiAuthorizationFilter.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Server/Auth/ApiAuthorizationFilter.cs b/Server/Auth/ApiAuthorizationFilter.cs
index a303dfd6..4d1d4736 100644
--- a/Server/Auth/ApiAuthorizationFilter.cs
+++ b/Server/Auth/ApiAuthorizationFilter.cs
@@ -33,6 +33,7 @@ namespace Remotely.Server.Auth
                 if (headerComponents.Length < 2)
                 {
                     context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                    context.Result = new UnauthorizedResult();
                     return;
                 };
 
@@ -49,6 +50,7 @@ namespace Remotely.Server.Auth
                         if (authComponents.Length < 2)
                         {
                             context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                            context.Result = new UnauthorizedResult();
                             return;
                         };