Use of WWW-Authenticate

[geoffyoungs]

I really like the ability to redirect/prompt users to login, in response to a 401, but I'm concerned that the current usage of WWW-Authenticate here is non-standard - ie. the syntax doesn't match & the scheme is not IANA registered: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate#syntax (cf. https://datatracker.ietf.org/doc/html/rfc7235#section-4.1) and wouldn't work if a browser requested the same URL.

In terms of support, I'd personally be tempted to use the non-standard Refresh header to perform the same function? It's also non-standard, but it would mean that the behaviour matched for both normal browser fetches and also responses to FetchRequest().

https://github.com/rails/request.js/blob/main/src/fetch_response.js#L19 e.g.

  get authenticationURL () {
     const refresh = this.response.headers.get('Refresh');

     if (refresh === null) return;

     let bits = refresh.split(/; */), i;

     for (i = 0; i < bits.length; i++) {
       if (bits[i].slice(0,4).toLowerCase() === 'url=') {
         return bits[i].slice(4);
       }
     }
  }