Unauthenticated REST response contains invalid WWW-Authenticate header

[blaugold]

Description

Unauthenticated REST responses contain an invalid WWW-Authenticate header. This is a problem for HTTP clients that implement the general HTTP authentication framework. In my case, Dart's HttpClient chokes on the invalid header value and throws an exception instead of continuing to process the response.

Steps to Reproduce

1. Start a nakama instance
2. Make an unauthenticated request against the REST API: curl -v -X POST localhost:7350/v2/session/logout

Expected Result

The response should either contain no WWW-Authenticate header, or one that adheres to the specification, e.g. Basic realm=<realm>.

Actual Result

curl -v -X POST localhost:7350/v2/session/logout

* Host localhost:7350 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:7350...
* Connected to localhost (::1) port 7350
> POST /v2/session/logout HTTP/1.1
> Host: localhost:7350
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 401 Unauthorized
< Cache-Control: no-store, no-cache, must-revalidate
< Content-Type: application/json
< Vary: Accept-Encoding
< Www-Authenticate: Auth token required
< Date: Wed, 14 Aug 2024 16:26:10 GMT
< Content-Length: 44
< 
* Connection #0 to host localhost left intact
{"code":16, "message":"Auth token required"}%  

Your Environment

• Nakama: 3.23.0

[linear]

NK-590 Unauthenticated REST response contains invalid `WWW-Authenticate` header