Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Basic" authentication doesn't return WWW-Authenticate header on failure #471

Open
geogeim opened this issue Nov 26, 2020 · 3 comments · May be fixed by #563
Open

"Basic" authentication doesn't return WWW-Authenticate header on failure #471

geogeim opened this issue Nov 26, 2020 · 3 comments · May be fixed by #563

Comments

@geogeim
Copy link

geogeim commented Nov 26, 2020

I registered a basic security schema with my own validateSecurity.handlers for basic auth. When the user enters the URL in the browser he doesn't get the login prompt because the authentication doesn't return the "WWW-Authenticate" header in the response and just fails with "Authorization header required"

That means i have to work around it by adding this in the global error handler

      if(error.path === '/users/export' && error.status === 401) {
        res.set('WWW-Authenticate', 'Basic realm="ugh"');
      }

Which kinda defeats the purpose of the security handler in the first place :(
@cdimascio
Copy link
Owner

cdimascio commented Dec 28, 2020
edited

@geogeim good point. the challenge here is where to find the realm. OpenAPI doesn't define a property in the schema for an api devto provide it. Potentially, we can provide the response object to the security handler and let the dev set the 'WWW-Authenticate header. we might also define a vendor extension e.g. x-eov-realm to enable a user to set the realm directly in the spec. i'm open to suggestions

@ahilke
Copy link
Contributor

ahilke commented Mar 17, 2021

@cdimascio What about just using WWW-Authenticate: Basic? According to the specification, this should be valid.

MDN says:

realm=<realm>
A description of the protected area. If no realm is specified, clients often display a formatted hostname instead.

I verified this behaviour in Chromium and Firefox working like intended, i.e. showing a login popup. I tested it with this demo project (although it lacks documentation).

I never came across a use case for using realms, never mind multiple realms, so I cannot say what the implications would be. But it would allow to cover the basic and common use case without needing to add any attribute to the OpenAPI spec.

If you agree, I could take a stab at this sometime.

@cdimascio
Copy link
Owner

That will be great. Please do. It makes for a good launching point.

ahilke added a commit to ahilke/express-openapi-validator that referenced this issue Mar 19, 2021
@ahilke
feat: Add WWW-Authenticate Header
b0c46ad 
Add WWW-Authenticate header on 401 when using basic auth.

Resolves cdimascio#471
@ahilke ahilke linked a pull request Mar 19, 2021 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Add WWW-Authenticate Header ahilke/express-openapi-validator
3 participants
@cdimascio @ahilke @geogeim