don't generate defender events for HTTP/WebDAV requests with no auth

it is quite common for HTTP clients to send a first request without
the Authorization header and then send the credentials after receiving
a 401 response. We don't want to generate defender events in this case

httpd/api_utils.go

@@ -370,7 +370,7 @@ func parseRangeRequest(bytesRange string, size int64) (int64, int64, error) {
 
 func updateLoginMetrics(user *dataprovider.User, ip string, err error) {
 	metric.AddLoginAttempt(dataprovider.LoginMethodPassword)
-	if err != nil && err != common.ErrInternalFailure {
+	if err != nil && err != common.ErrInternalFailure && err != common.ErrNoCredentials {
 		logger.ConnectionFailedLog(user.Username, ip, dataprovider.LoginMethodPassword, common.ProtocolHTTP, err.Error())
 		event := common.HostEventLoginFailed
 		if _, ok := err.(*util.RecordNotFoundError); ok {

webdavd/server.go

@@ -368,7 +368,7 @@ func writeLog(r *http.Request, err error) {
 
 func updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err error) {
 	metric.AddLoginAttempt(loginMethod)
-	if err != nil && err != common.ErrInternalFailure {
+	if err != nil && err != common.ErrInternalFailure && err != common.ErrNoCredentials {
 		logger.ConnectionFailedLog(user.Username, ip, loginMethod, common.ProtocolWebDAV, err.Error())
 		event := common.HostEventLoginFailed
 		if _, ok := err.(*util.RecordNotFoundError); ok {