better handle missing auth header, set explicit response types to not get warnings...

[authserver.git] / app / api.php

diff --git a/app/api.php b/app/api.php
index 10d43edd0d1461cb9119f1b08616642e245124b5..0efc179417910781b9d425af8c775126dead0bce 100644 (file)
--- a/app/api.php
+++ b/app/api.php
@@ -24,7 +24,12 @@ if (!count($errors)) {
   // Handle a request to a resource and authenticate the access token
   $token_OK = $server->verifyResourceRequest(OAuth2\Request::createFromGlobals());
   if (!$token_OK) {
-    $server->getResponse()->send();
+    $response = $server->getResponse();
+    if (!count($response->getParameters())) {
+      // We get an empty response if we don't get any auth header. Let's actually note that explicitly.
+      $response->setError($response->getStatusCode(), 'auth_missing', 'Authentication missing');
+    }
+    $response->send();
     if ($settings['piwik_enabled']) { $piwikTracker->doTrackPageView('API Request: Bad Token'); }
     exit();
   }