Return unauthorized if header auth is the only one

messages/en-US.json

@@ -1754,7 +1754,7 @@
     "resourceHeaderAuthSetup": "Header Authentication set successfully",
     "resourceHeaderAuthSetupDescription": "Header authentication has been successfully set.",
     "resourceHeaderAuthSetupTitle": "Set Header Authentication",
-    "resourceHeaderAuthSetupTitleDescription": "Set the basic auth credentials (username and password) to protect this resource with HTTP Header Authentication. Leave both fields blank to remove existing header authentication.",
+    "resourceHeaderAuthSetupTitleDescription": "Set the basic auth credentials (username and password) to protect this resource with HTTP Header Authentication. Access it using the format https://username:password@resource.example.com",
     "resourceHeaderAuthSubmit": "Set Header Authentication",
     "actionSetResourceHeaderAuth": "Set Header Authentication",
     "enterpriseEdition": "Enterprise Edition",

server/routers/badger/verifySession.ts

@@ -314,6 +314,11 @@ export async function verifyResourceSession(
                 logger.debug("Resource allowed because header auth is valid");
                 return allowed(res);
             }
+
+            // if there are no other auth methods we need to return unauthorized here
+            if (!sso && !pincode && !password && !resource.emailWhitelistEnabled) {
+                return notAllowed(res);
+            }
         }
 
         if (!sessions) {