miguelgrinberg
commented
1 year ago I would prefer not to mess with the HTTP standard, which at least in my understanding indicates that WWW-Authenticate is a required header (docs here).
The issue of the browser prompting for credentials has been discussed before here. There are actually two methods to prevent the browser from doing this:
- Change
schemeto something other thanBasic, for example:basic_auth = HTTPBasicAuth(scheme='SilentBasic'). - Use an error handler to intercept the error response and provide a status that is different than 401. For example, you can switch to 403, which does not prompt the user for credentials.
My recommendation is to go with the first option.
sina-rostami
Hi, thank you for your work.
You put the
WWW-Authenticateheader on all responses and in the case of basic authentication, this leads the browsers to prompt for username and password every time. however, maybe someone doesn't want this.I am developing a service in which I want to take some actions in case of wrong credentials, but the browser constantly prompts me for a username and password repeatedly.
I fixed the problem by commenting line that sets the header. But I thought it would be good if the user could control this feature.
I can open a pull request for this if you agree with the logic.
Regards.