Exception shown on 401 Unauthorized

Add test fail patch.

Changed the failing-test patch accordingly to #3

This test should fail: it is made for that. Here it does not (in #4) because the stacktrace contains the "Unauthorized" field :
Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException: No authentication credentials provided. in Drupal\basic_auth\Authentication\Provider\BasicAuth->challengeException() (line 138 of core\modules\basic_auth\src\Authentication\Provider\BasicAuth.php).
So it take rework to actually figure out it the display is a stracktrace or a user friendly message.
Anyone have a clue on that ?

Try another way : check no "Exception" text is displayed.

Interdiff :
$this->assertText('Unauthorized', "A user friendly access unauthorized message is displayed");
changed to
$this->assertNoText('Exception', "A user friendly access unauthorized message is displayed");

Adding patch fix to be reviewed.

@Dom.: The reason why the stacktrace is displayed is because we explicitly enable verbose logging in tests (see WebTestBase::setUp() line 918). There is a test in ErrorHandlerTest.php which makes sure that no backtrace is displayed if the error_level is not verbose. Also note that error_level defaults to hide (see core/modules/system/config/install/system.logging.yml).

Therefore I do not think that there is anything to do here in this issue.

Still with standard profile, and error page is sent instead of a nice 401 page. Plus the exception is in the logfile.

I forgot a wording was actually available in the issue summary.
- Simply changed the 401 page wording regarding this new.
- Also added a test for this sentence thus in BasicAuthTest.php

Note: I still think it would be better to ask for credentials instead of login since it more in conjunction with the reason why 401 happens regarding authentication (basic, oauth or whatever).

Interdiff:
'#markup' => $this->t('Please provide valid credentials.'),
changed to :
'#markup' => $this->t('Please log in to access this page.'),

$this->assertNoText('Exception', "A user friendly access unauthorized message is displayed");
changed to :
$this->assertNoText('Exception', "No raw exception is displayed on the page.");
and added :
$this->assertText('Please log in to access this page.', "A user friendly access unauthorized message is displayed.");

Oh, given the screenshot in #11 I agree that we should do something about it.

possibly related #2432657: BasicAuth challenge never sent to browser

@pfrenssen, thanks so much for help !
Adding new patch with interdiff for review. The purpose is just to reduce the scope of added headers to HttpExceptions only.

Any updates on the #20 ? Is this okay ?

I'm okay with this. Tagging it in order to give people behind #2323759: Modularize kernel exception handling a chance to review.

This is consistent with how the exception system is supposed to work, and I like the addition of ensuring that HTTP headers get transferred. That's a useful bug fix on its own. Thanks all!

This issue is a normal bug fix, and doesn't include any disruptive changes, so it is allowed per https://www.drupal.org/core/beta-changes.

Thanks for the clear, specific steps to reproduce the issue. I was able to confirm both the bug and fix using them. I also like that the fix is clean and consistent with our existing 4xx handling.

1. +++ b/core/modules/basic_auth/src/Tests/Authentication/BasicAuthTest.php
   @@ -156,6 +156,31 @@ function testLocale() {
   +   * Tests if a comprehensive message is displayed rather then a raw exception
   +   * when route is denied.
   

   Minor: This summary is supposed to be only one line of 80 characters or fewer. See https://www.drupal.org/node/1354#drupal. I fixed this on commit:

   diff --git a/core/modules/basic_auth/src/Tests/Authentication/BasicAuthTest.php b/core/modules/basic_auth/src/Tests/Authentication/BasicAuthTest.php
   index 81484c1..6a3d348 100644
   --- a/core/modules/basic_auth/src/Tests/Authentication/BasicAuthTest.php
   +++ b/core/modules/basic_auth/src/Tests/Authentication/BasicAuthTest.php
   @@ -154,8 +154,7 @@ function testLocale() {
      }
    
      /**
   -   * Tests if a comprehensive message is displayed rather then a raw exception
   -   * when route is denied.
   +   * Tests if a comprehensive message is displayed when the route is denied.
       */
      function testUnauthorizedErrorMessage() {
        $account = $this->drupalCreateUser();
   

    

2. +++ b/core/modules/basic_auth/src/Tests/Authentication/BasicAuthTest.php
   @@ -156,6 +156,31 @@ function testLocale() {
   +    $this->assertNoText('Exception', "No raw exception is displayed on the page.");
   

   This assertion will not test what is expected if errors aren't being reported to the screen (and, indeed, it failed to fail in https://qa.drupal.org/pifr/test/1027378). However, the other assertions provide the coverage needed. Under normal circumstances I'd suggest asserting the response was not a 500 instead of checking for the text but that obviously is irrelevant when we're asserting it's a 401. :)
    

3. +++ b/core/modules/system/src/Controller/Http4xxController.php
   @@ -15,10 +15,22 @@
   +   * The default 401 content.
   

   Minor: This is technically supposed to start with a verb (see https://www.drupal.org/node/1354#functions), but since it's exactly the same as the other similar methods on the class, I'll take it.
    

I didn't consider any of the above worth delaying this patch on, so committed and pushed to 8.0.x. Thanks!

Re #26.2: In fact the error_level is set to verbose in WebTestBase::setUp(), so the stack trace and the term Exception is displayed without the patch. Note that the wording of the assert-message was subsequently changed in #12, that's why the message in the test result of the test-only patch in #6 is different from the one committed.