search

nuxt-community / auth-module

Zero-boilerplate authentication support for Nuxt 2
https://auth.nuxtjs.org
MIT License
1.93k stars 924 forks source link

Safari overwrites Authorization header with Basic auth #1702

Open lukas-pierce opened 2 years ago

lukas-pierce commented 2 years ago

Problem when working together with the nuxt-basic-auth-module (HTTP Basic Auth). I want the site to be password protected from outside visitors. And there was also user authorization using nuxt auth module, when launch in Safari after passing basic authorization, the basic authorization header is subsequently always added to all xhr-requests, and overwrites authorization header with a bearer token

Version

@nuxtjs/auth-next: 5.0.0-1613647907.37b1156 nuxt: 2.15.3 nuxt-basic-auth-module: 1.4.1

Nuxt configuration

mode:

Nuxt configuration

  auth: {
    redirect: {
      login: '/login',
      logout: '/',
      callback: '/login',
      home: '/'
    },
    watchLoggedIn: false,
    strategies: {
      local: {
        user: {
          property: false
        },
        endpoints: {
          login: { url: '/auth/login', method: 'post' },
          user: { url: '/auth/user', method: 'get' },
          logout: { url: '/auth/logout', method: 'post' },
        }
      }
    },
  },
  // http basic auth https://www.npmjs.com/package/nuxt-basic-auth-module
  basic: {
    name: process.env.HTTP_BASIC_USERNAME,
    pass: process.env.HTTP_BASIC_PASSWORD,
    enabled: process.env.HTTP_BASIC_AUTH_ENABLED === 'true',
  },

Reproduction

Install two modules: nuxt-auth and nuxt-basic-auth-module, and launch in Safari, after passing Basic auth Safari will pass Basic authorization header with each ajax request, but Chrome doesn't behave like that. I think the problem is not related to the nuxt-basic-auth-module, even if you set Basic Auth to the site in another way (Apache or nginx), the problem with Safari headers overwrites will still be.

Checklist

image
eyecatchup commented 2 years ago

Confirm. Having the same issue.

martinrode commented 1 year ago

Did you report this to Apple?

smenshikov commented 1 year ago

I believe Apple knows about this issue, but they do anything with this. As a workaround your backend can implement support of custom authorization header