Access to API possible, despite basic auth configuration

[kschroeer]

Bug Report

Q	A
Version(s)	x.y.z

Summary

Current behavior

How to reproduce

Expected behavior

I'm having a problem using basic auth. I created the following configuration:

return [
    'api-tools-mvc-auth' => [
        'authentication' => [
            'http' => [
                'accept_schemes' => ['basic'],
                'realm' => 'my api',
                'htpasswd' => __DIR__ . '/../../data/htpasswd',
            ],
        ],
    ],
];

If I now send a request to my API and include an Authorization header line, the credentaials are checked and the resource is either released if everything is OK, or I receive an HTTP 401 if the credentials are not correct. So far everything is fine and corresponds to my expectations.

If I leave out the Authorization line, I get the following response headers:

WWW-Authenticate: Basic realm="my api"
Strict-Transport-Security: max-age=31536000; includeSubDomains
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type, authorization
Content-Length: 30
Content-Type: application/json

But - and now comes my exact problem - I get access to the resource, i.e. I can request an endpoint, the action in the handler class is executed and I also get a valid response including status code 200 back and the whole thing without that I had to authenticate myself. I would have expected that the methods in the resource class would be "blocked" or the routing would be stopped.