From 30e9bcc492ffa81dabfd316a295ff4d20daaec3b Mon Sep 17 00:00:00 2001
From: Xavier Del Campo Romero <xavi92@disroot.org>
Date: Sat, 13 Jun 2026 09:38:00 +0200
Subject: Report missing authentication

Previously, HTTP error 403 was returned if an unauthenticated user
attempted to access a file or directory inside /user/. However, this
error message confusing because, most often, it was caused by legitimate
users with missing or expired HTTP cookies. While the usual workaround
was to access /index.html and authenticate, this was too confusing to
some users.
---
 main.c |  2 +-
 page.c | 33 +++++++++++++++++++++++++++++++++
 page.h |  1 +
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/main.c b/main.c
index 6ad0cf7..ff05fd4 100644
--- a/main.c
+++ b/main.c
@@ -1021,7 +1021,7 @@ static int getnode(const struct http_payload *const p,
     if (auth_cookie(a, &p->cookie))
     {
         fprintf(stderr, "%s: auth_cookie failed\n", __func__);
-        return page_forbidden(r);
+        return page_missing_login(r);
     }
     else if (path_invalid(resource))
     {
diff --git a/page.c b/page.c
index 27c277d..6f4ca17 100644
--- a/page.c
+++ b/page.c
@@ -2051,6 +2051,39 @@ int page_failed_login(struct http_response *const r)
     return 0;
 }
 
+int page_missing_login(struct http_response *const r)
+{
+    static const char index[] =
+        DOCTYPE_TAG
+        "<html>\n"
+        "   <head>\n"
+        "       " COMMON_HEAD "\n"
+        "       " STYLE_A "\n"
+        "   </head>\n"
+        "   <body>\n"
+        "       <div class=\"userform\">\n"
+        "           <label>Please authenticate to continue.</label>\n"
+        "       </div>\n"
+                LOGIN_BODY
+        "   </body>\n"
+        "</html>\n";
+
+    *r = (const struct http_response)
+    {
+        .status = HTTP_STATUS_UNAUTHORIZED,
+        .buf.ro = index,
+        .n = sizeof index - 1
+    };
+
+    if (http_response_add_header(r, "Content-Type", "text/html"))
+    {
+        fprintf(stderr, "%s: http_response_add_header failed\n", __func__);
+        return -1;
+    }
+
+    return 0;
+}
+
 int page_login(struct http_response *const r)
 {
     static const char index[] =
diff --git a/page.h b/page.h
index 8b1e9a0..6ab28ea 100644
--- a/page.h
+++ b/page.h
@@ -40,6 +40,7 @@ struct page_rm
 int page_login(struct http_response *r);
 int page_style(struct http_response *r, const char *path);
 int page_failed_login(struct http_response *r);
+int page_missing_login(struct http_response *r);
 int page_forbidden(struct http_response *r);
 int page_bad_request(struct http_response *r);
 int page_not_found(struct http_response *r);
-- 
cgit v1.2.3