|
### Challenge |
|
|
|
Per default the middleware will not add a `WWW-Authenticate` challenge header to |
|
responses of unauthorized requests. You can enable that by adding `challenge: true` |
|
function unauthorized() { |
|
if(challenge) { |
|
var challengeString = 'Basic' |
|
var realmName = realm(req) |
|
|
|
if(realmName) |
|
challengeString += ' realm="' + realmName + '"' |
|
|
|
res.set('WWW-Authenticate', challengeString) |
|
} |
The current default behavior, responding with the status code 401 without the WWW-Authenticate header field, violates RFC 9110. Do you have any particular reasons for the decision on the default behavior that is not RFC-compliant?
The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 11.6.1) containing at least one challenge applicable to the target resource.
Suggestion
I suggest changing this line
|
var challenge = options.challenge != undefined ? !!options.challenge : false |
to
const challenge = !!(options.challenge ?? true);
, and accordingly the documentation as well.
express-basic-auth/README.md
Lines 137 to 140 in dd17b4d
express-basic-auth/index.js
Lines 66 to 75 in dd17b4d
The current default behavior, responding with the status code 401 without the
WWW-Authenticateheader field, violates RFC 9110. Do you have any particular reasons for the decision on the default behavior that is not RFC-compliant?Suggestion
I suggest changing this line
express-basic-auth/index.js
Line 30 in dd17b4d
to
, and accordingly the documentation as well.