Cannot return HTTP Unauthorized from delegating Handler Web API

Question

I am trying to implement authentication in a DelegatingHandler. Here is an example below.

public class AuthHandler: DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        var auth = request.Headers.Authorization;
        if (!auth.Scheme.Equals("UberSecureScheme"))
        {
            return new Task<HttpResponseMessage>(() => new HttpResponseMessage(HttpStatusCode.Unauthorized)
                {
                    Content = new StringContent("You have no token")
                });
        }

        return base.SendAsync(request, cancellationToken);
    } 
}

This never ever executes the task and no response is ever returned. If I change the code to do some task continuation thing like I have seen some examples then the Controller is executed first.

return base.SendAsync(request, cancellationToken)
           .ContinueWith(task =>
           {
               var response = task.Result;
               response.StatusCode = HttpStatusCode.Unauthorized;
               return response;
           });

This is obviously a disaster. I can't let someone do a delete and then tell them that they were unauthorized to do so.

I have also come across someone saying just throw an HTTPResponseException. No matter what status code I put in there (404, 401, whatever) the browser always gets a 500 internal server error.

Answer 1

if (!auth.Scheme.Equals("UberSecureScheme"))
{
    var response = request.CreateResponse(HttpStatusCode.Unauthorized);
    response.ReasonPhrase = "You have no token";
    return Task.FromResult<HttpResponseMessage>(response);
}