Prevent basic auth pages from being indexed (#28)

RealOrangeOne · web-flow · commit 10842aa14874 · 2025-03-10T16:34:53.000Z
diff --git a/baipw/middleware.py b/baipw/middleware.py
@@ -1,7 +1,6 @@
 import ipaddress
 
 from django.conf import settings
-from django.core.exceptions import PermissionDenied
 from django.utils.module_loading import import_string
 
 from .exceptions import Unauthorized
@@ -38,7 +37,7 @@ def process_request(self, request):
         if self._is_basic_auth_configured():
             return self._basic_auth_response(request)
         # Otherwise just deny the access to the website
-        raise PermissionDenied
+        return self.get_error_response(request)
 
     @property
     def basic_auth_login(self):
@@ -48,17 +47,24 @@ def basic_auth_login(self):
     def basic_auth_password(self):
         return getattr(settings, "BASIC_AUTH_PASSWORD", None)
 
-    def get_response_class(self):
+    def get_error_response(self, request):
         try:
-            return import_string(settings.BASIC_AUTH_RESPONSE_CLASS)
+            response_class = import_string(settings.BASIC_AUTH_RESPONSE_CLASS)
         except AttributeError:
-            return HttpUnauthorizedResponse
+            response_class = HttpUnauthorizedResponse
+
+        response = response_class(request=request)
+
+        # Ensure pages can't be indexed, even if authentication is enabled.
+        response.headers["X-Robots-Tag"] = "noindex"
+
+        return response
 
     def _basic_auth_response(self, request):
         try:
             authorize(request, self.basic_auth_login, self.basic_auth_password)
         except Unauthorized:
-            return self.get_response_class()(request=request)
+            return self.get_error_response(request)
 
     def _get_client_ip(self, request):
         function_path = getattr(
diff --git a/baipw/tests/test_integration.py b/baipw/tests/test_integration.py
@@ -32,7 +32,7 @@ def setUp(self):
 
     def test_basic_auth_not_configured(self):
         response = self.client.get("/")
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 401)
 
     @test.override_settings(
         BASIC_AUTH_LOGIN="test",
diff --git a/baipw/tests/test_middleware.py b/baipw/tests/test_middleware.py
@@ -1,7 +1,6 @@
 from unittest import mock
 from unittest.mock import MagicMock
 
-from django.core.exceptions import PermissionDenied
 from django.test import RequestFactory, TestCase, override_settings
 
 from baipw.middleware import BasicAuthIPWhitelistMiddleware
@@ -18,8 +17,9 @@ def setUp(self):
 
 class TestMiddleware(TestCaseMixin, TestCase):
     def test_no_settings_returns_permission_denied(self):
-        with self.assertRaises(PermissionDenied):
-            self.middleware(self.request)
+        response = self.middleware(self.request)
+        self.assertEqual(response.status_code, 401)
+        self.assertEqual(response.headers["X-Robots-Tag"], "noindex")
 
     @override_settings(
         BASIC_AUTH_LOGIN="testlogin",
@@ -28,6 +28,7 @@ def test_no_settings_returns_permission_denied(self):
     def test_basic_auth_returns_401(self):
         response = self.middleware(self.request)
         self.assertEqual(response.status_code, 401)
+        self.assertEqual(response.headers["X-Robots-Tag"], "noindex")
 
     @override_settings(
         BASIC_AUTH_LOGIN="testlogin",
@@ -236,17 +237,17 @@ def test_http_host_whitelist_fails_check_when_configured_(self):
 
     @override_settings(BASIC_AUTH_WHITELISTED_HTTP_HOSTS=["kernel.org", "dgg.gg"])
     def test_http_host_whitelist_fails_check_with_no_host(self):
-        with self.assertRaises(PermissionDenied):
-            self.middleware(self.request)
+        response = self.middleware(self.request)
+        self.assertEqual(response.status_code, 401)
 
     @override_settings(
         ALLOWED_HOSTS=["www.example.com"],
         BASIC_AUTH_WHITELISTED_HTTP_HOSTS=["kernel.org", "dgg.gg"],
     )
     def test_http_host_whitelist_fails_check_with_wrong_host(self):
         self.request.META["HTTP_HOST"] = "www.example.com"
-        with self.assertRaises(PermissionDenied):
-            self.middleware(self.request)
+        response = self.middleware(self.request)
+        self.assertEqual(response.status_code, 401)
 
     @override_settings(
         BASIC_AUTH_LOGIN="somelogin",
@@ -300,14 +301,14 @@ def test_path_whitelist_fails_check_when_configured(self):
 
     @override_settings(BASIC_AUTH_WHITELISTED_PATHS=["ham/", "eggs/"])
     def test_path_whitelist_fails_check_for_parent_path(self):
-        with self.assertRaises(PermissionDenied):
-            self.middleware(self.request)
+        response = self.middleware(self.request)
+        self.assertEqual(response.status_code, 401)
 
     @override_settings(BASIC_AUTH_WHITELISTED_PATHS=["ham/", "eggs/"])
     def test_path_whitelist_fails_check_with_wrong_path(self):
         self.request.path = "spam/"
-        with self.assertRaises(PermissionDenied):
-            self.middleware(self.request)
+        response = self.middleware(self.request)
+        self.assertEqual(response.status_code, 401)
 
     @override_settings(
         BASIC_AUTH_LOGIN="somelogin",
@@ -330,11 +331,15 @@ def test_path_whitelist_check_when_settings_empty(self):
 
 class TestResponseClass(TestCaseMixin, TestCase):
     def test_get_response_class_when_none_set(self):
-        self.assertIs(self.middleware.get_response_class(), HttpUnauthorizedResponse)
+        self.assertIsInstance(
+            self.middleware.get_error_response(self.request), HttpUnauthorizedResponse
+        )
 
     @override_settings(BASIC_AUTH_RESPONSE_CLASS="baipw.tests.response.TestResponse")
     def test_get_response_class_when_set(self):
-        self.assertIs(self.middleware.get_response_class(), TestResponse)
+        self.assertIsInstance(
+            self.middleware.get_error_response(self.request), TestResponse
+        )
 
     @override_settings(
         BASIC_AUTH_LOGIN="testlogin",
@@ -343,5 +348,5 @@ def test_get_response_class_when_set(self):
     )
     def test_middleware_when_custom_response_set(self):
         response = self.middleware(self.request)
-        self.assertIs(response.__class__, TestResponse)
+        self.assertIsInstance(response, TestResponse)
         self.assertEqual(response.content, b"Test message. :P")
