Worst case, users get prompted for a username/password if they don't have a session in their browser, seems fine to me.
API operations are all done via xhr, where the username/password is sent via the Authorization header, so including them in the URL shouldn't be required there.
Fixes #62
Worst case, users get prompted for a username/password if they don't have a session in their browser, seems fine to me.
API operations are all done via xhr, where the username/password is sent via the Authorization header, so including them in the URL shouldn't be required there.