From a2d5d2d613712bc50c4440d0986b8bc310a6a03f Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Fri, 30 Apr 2021 23:08:57 +0200
Subject: [PATCH 1/2] Reply with UNAUTHORIZED like on APIs when login exception
 was thrown

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 build/integration/features/provisioning-v1.feature | 2 +-
 index.php                                          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build/integration/features/provisioning-v1.feature b/build/integration/features/provisioning-v1.feature
index 03aaad4b85..05eb550d98 100644
--- a/build/integration/features/provisioning-v1.feature
+++ b/build/integration/features/provisioning-v1.feature
@@ -687,4 +687,4 @@ Feature: provisioning
 		And assure user "user0" is disabled
 		And As an "user0"
 		When sending "GET" with exact url to "/index.php/apps/files"
-		And the HTTP status code should be "403"
+		And the HTTP status code should be "401"
diff --git a/index.php b/index.php
index 9ea511c7f0..6bdaf9d477 100644
--- a/index.php
+++ b/index.php
@@ -55,7 +55,7 @@ try {
 		OC_Template::printExceptionErrorPage($ex, 500);
 	}
 } catch (\OC\User\LoginException $ex) {
-	OC_Template::printErrorPage($ex->getMessage(), $ex->getMessage(), 403);
+	OC_Template::printErrorPage($ex->getMessage(), $ex->getMessage(), 401);
 } catch (Exception $ex) {
 	\OC::$server->getLogger()->logException($ex, ['app' => 'index']);
 

From 236f1b64f9dec26c98cdaf9efd66750001dc8da2 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Fri, 30 Apr 2021 23:09:29 +0200
Subject: [PATCH 2/2] Reply with JSON when html is not accepted like in
 SecurityMiddleware

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 index.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/index.php b/index.php
index 6bdaf9d477..88104e1974 100644
--- a/index.php
+++ b/index.php
@@ -55,6 +55,18 @@ try {
 		OC_Template::printExceptionErrorPage($ex, 500);
 	}
 } catch (\OC\User\LoginException $ex) {
+	$request = \OC::$server->getRequest();
+	/**
+	 * Routes with the @CORS annotation and other API endpoints should
+	 * not return a webpage, so we only print the error page when html is accepted,
+	 * otherwise we reply with a JSON array like the SecurityMiddleware would do.
+	 */
+	if (stripos($request->getHeader('Accept'),'html') === false) {
+		http_response_code(401);
+		header('Content-Type: application/json; charset=utf-8');
+		echo json_encode(['message' => $ex->getMessage()]);
+		exit();
+	}
 	OC_Template::printErrorPage($ex->getMessage(), $ex->getMessage(), 401);
 } catch (Exception $ex) {
 	\OC::$server->getLogger()->logException($ex, ['app' => 'index']);