From f8d1f8c08ba7112380e8fec91611a1445d22ae76 Mon Sep 17 00:00:00 2001
From: Petu Eusebiu <peusebiu@cisco.com>
Date: Tue, 10 Oct 2023 16:09:28 +0300
Subject: [PATCH] fix(authn): apply fail delay only if credentials/sessions are
 supplied

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
---
 pkg/api/authn.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/api/authn.go b/pkg/api/authn.go
index f146ec165..741db65b7 100644
--- a/pkg/api/authn.go
+++ b/pkg/api/authn.go
@@ -675,7 +675,9 @@ func getRelyingPartyArgs(cfg *config.Config, provider string) (
 }
 
 func authFail(w http.ResponseWriter, r *http.Request, realm string, delay int) {
-	time.Sleep(time.Duration(delay) * time.Second)
+	if !isAuthorizationHeaderEmpty(r) || hasSessionHeader(r) {
+		time.Sleep(time.Duration(delay) * time.Second)
+	}
 
 	// don't send auth headers if request is coming from UI
 	if r.Header.Get(constants.SessionClientHeaderName) != constants.SessionClientHeaderValue {