Zip file HTTP headers lack the header WWW-Authenticate on 403 status

[dezgeg]

Downloading zip files doesn't work properly if the initial request doesn't contain the Basic authentication header.

For instance, opening http://tmc.mooc.fi/hy/exercises/2817.zip in Chrome doesn't pop up the authentication window.

This also leads to wget not being able to download the zips, complaining about "Unknown authentication scheme.":

tmtynkky@da3-cs-dk110-02:~$ wget 'http://tmc.mooc.fi/hy/exercises/2817.zip' -O /dev/stdout --user foo --password bar
--2014-09-09 16:54:14--  http://tmc.mooc.fi/hy/exercises/2817.zip
Resolving tmc.mooc.fi (tmc.mooc.fi)... 148.251.139.135
Connecting to tmc.mooc.fi (tmc.mooc.fi)|148.251.139.135|:80... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Unknown authentication scheme.
Authorisation failed.

The issue seems to be a lack of WWW-Authenticate header:

tmtynkky@da3-cs-dk110-02:~$ wget -d 'http://tmc.mooc.fi/hy/exercises/2817.zip'
...
---response begin---
HTTP/1.1 401 Unauthorized
Server: nginx/1.4.6 (Ubuntu)
Date: Tue, 09 Sep 2014 13:57:33 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: no-cache
X-Request-Id: a138cfaedbca76aa7de8770f50c5c747
X-Runtime: 0.156234
X-Rack-Cache: miss
X-Powered-By: Phusion Passenger 4.0.49
Status: 401 Unauthorized

Wheras the WWW-Authenticate header is present when requesting a JSON file, and wget works correctly (by making a second request):

tmtynkky@da3-cs-dk110-02:~$ wget -d 'http://tmc.mooc.fi/hy/courses.json?api_version=7' -O /dev/stdout --user foo --password bar
Setting --output-document (outputdocument) to /dev/stdout
Setting --user (user) to foo
Setting --password (password) to bar
DEBUG output created by Wget 1.13.4 on linux-gnu.

URI encoding = `UTF-8'
--2014-09-09 17:00:56--  http://tmc.mooc.fi/hy/courses.json?api_version=7
Host `tmc.mooc.fi' has not issued a general basic challenge.
Resolving tmc.mooc.fi (tmc.mooc.fi)... 148.251.139.135
Caching tmc.mooc.fi => 148.251.139.135
Connecting to tmc.mooc.fi (tmc.mooc.fi)|148.251.139.135|:80... connected.
Created socket 4.
Releasing 0x00000000009f09b0 (new refcount 1).

---request begin---
GET /hy/courses.json?api_version=7 HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: tmc.mooc.fi
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response... 
---response begin---
HTTP/1.1 401 Unauthorized
Server: nginx/1.4.6 (Ubuntu)
Date: Tue, 09 Sep 2014 14:00:56 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
WWW-Authenticate: Basic realm="Authentication required"
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: no-cache
X-Request-Id: 1e1caaba35d1b54499938ae8c955236b
X-Runtime: 0.011956
X-Rack-Cache: miss
X-Powered-By: Phusion Passenger 4.0.49
Status: 401 Unauthorized

---response end---
401 Unauthorized
Registered socket 4 for persistent reuse.
Skipping 35 bytes of body: [{"error":"Authentication required"}] done.
Inserted `tmc.mooc.fi' into basic_authed_hosts
Reusing existing connection to tmc.mooc.fi:80.
Reusing fd 4.

---request begin---
GET /hy/courses.json?api_version=7 HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: tmc.mooc.fi
Connection: Keep-Alive
Authorization: Basic bmljZSB0cnkK==

---request end---
HTTP request sent, awaiting response... 
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.4.6 (Ubuntu)
Date: Tue, 09 Sep 2014 14:00:56 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: must-revalidate, private, max-age=0
X-Request-Id: 57ace806f9662499bf22473ebe83fd21
X-Runtime: 0.017881
X-Rack-Cache: miss
X-Powered-By: Phusion Passenger 4.0.49
ETag: "2fad6243aea82bc3c3901f8cd94f61d2"
Status: 200 OK

This seems to be related:
https://github.com/testmycode/tmc-server/blob/master/app/controllers/application_controller.rb#L139