search

jaredhanson / passport-http

HTTP Basic and Digest authentication strategies for Passport and Node.js.
https://www.passportjs.org/packages/passport-http/?utm_source=github&utm_medium=referral&utm_campaign=passport-http&utm_content=about
MIT License
268 stars 110 forks source link

Added option disableBasicChallenge to disable WWW-Authenticate header. #26

Closed geothird closed 4 years ago

geothird commented 10 years ago

Setting this option to true will not send the header just a 401. This is used to prevent native browser authentication popups.

nmec commented 9 years ago

For anyone looking for a workaround to this, if you are proxying through a web server you can strip the header:

# Apache
Header unset WWW-Authenticate

# Nginx
proxy_hide_header WWW-Authenticate;
siygle commented 9 years ago

+1 Can hide WWW-Authenticate with an option would be a better solution.

nmec commented 9 years ago

It's worth pointing out that this behaviour is contrary to RFC 7235:

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.

siygle commented 9 years ago

Yes, I know. Do not want to challenge the spec, but the problem is browser will handle this natively (popup a dialog), there's no way we can disable it.

I think provide a option and set default as normal only when developer really need to turn it off should be a acceptable solution.

barretod commented 8 years ago

What happened with this, is there another workaround? Safari is giving us issues, we get the native login popup even when we're just doing an jquery call.

maniankara commented 6 years ago

+1