* auth: respond with 403 for API requests when not authenticated

AGHTechDoc.md

@@ -1353,7 +1353,9 @@ Response:
 
 ## Log-in page
 
-After user completes the steps of installation wizard, he must log in into dashboard using his name and password.  After user successfully logs in, he gets the Cookie which allows the server to authenticate him next time without password.  After the Cookie is expired, user needs to perform log-in operation again.  All requests without a proper Cookie get redirected to Log-In page with prompt for name and password.
+After user completes the steps of installation wizard, he must log in into dashboard using his name and password.  After user successfully logs in, he gets the Cookie which allows the server to authenticate him next time without password.  After the Cookie is expired, user needs to perform log-in operation again.
+
+Requests to / or /index.html without a proper Cookie get redirected to Log-In page with prompt for name and password.  The server responds with 403 to all other requests (including all API methods) without a proper Cookie.
 
 YAML configuration:
 

home/auth.go

@@ -406,8 +406,13 @@ func optionalAuth(handler func(http.ResponseWriter, *http.Request)) func(http.Re
 				}
 			}
 			if !ok {
-				w.Header().Set("Location", "/login.html")
-				w.WriteHeader(http.StatusFound)
+				if r.URL.Path == "/" || r.URL.Path == "/index.html" {
+					w.Header().Set("Location", "/login.html")
+					w.WriteHeader(http.StatusFound)
+				} else {
+					w.WriteHeader(http.StatusForbidden)
+					_, _ = w.Write([]byte("Forbidden"))
+				}
 				return
 			}
 		}

home/home_test.go

@@ -114,6 +114,7 @@ func TestHome(t *testing.T) {
 	assert.True(t, ioutil.WriteFile(fn, []byte(yamlConf), 0644) == nil)
 	fn, _ = filepath.Abs(fn)
 
+	config = configuration{} // the global variable is dirty because of the previous tests run
 	args := options{}
 	args.configFilename = fn
 	args.workDir = dir