This used to work, but for some reason it's broken now (not sure if it's a newer Chrome version or we just broke it somehow).
In general, when a browser is trying to access an api endpoint, it would first send an OPTIONS request to check the CORS settings of the server and then send the actual request. The first request will not contain the X-Requested-With header (#457) so that's what's causing the native HttpBasic browser popup to appear.
Steps to reproduce:
# curl -I 'http://localhost:48080/api/ping/token' -H 'Accept: application/json, text/plain, */*' -H 'Referer: http://localhost:48080/' -H 'DNT: 1' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36' -H 'Authorization: Bearer INSERT_A_REAL_TOKEN' -X OPTIONS --compressed
HTTP/2 401
server: nginx
date: Tue, 18 Sep 2018 21:29:14 GMT
content-type: application/json
www-authenticate: Basic realm="Strongbox Repository Manager"
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
x-frame-options: DENY
mvn clean install -Dintegration.tests still works.mvn spring-boot:run in the strongbox-web-core still starts up the application correctly.strongbox-distribution from a zip or tar.gz still works.strongbox-web-integration-tests still run properly.This task relates to #457.
I'll be taking a look at this issue
Okay! Good luck! :)
I've been able to reproduce the error and found out that the tokens of the authentication is inside the BasicAuthorizationSupplier class, but I'm having troubles understanding the desired solution, could you explain to me what is the expected result?
@steve-todorov , @fuss86 , @ptirador : Any thoughts?
I just sent a PR with the Solution to the issue #1265
any comments you have about it are very welcomed.
Hey since most of the questions I asked and reports of my progress were done through the strongbox community chat. I think it would better for the community that the findings on this issue are shown in public.
The issue occurred inside the Http401AuthenticationEntryPoint.java class. Since the updates on some browsers, pre-flight OPTIONS calls are sent for all GET/POST requests unless they are classified as simple requests when sending a CORS request.
This pre-flight OPTIONS request doesn't contain the "X-Requested-With" header and because of this what happened is that the response always returned with the "www-authenticate" header which prompted the authentication pop-up.
In the PR #1265 I added this validation inside the Http401AuthenticationEntryPoint :
!request.getMethod().equalsIgnoreCase(IS_REQUEST_OPTIONS)
With this, we make sure that the "www-authenticate" response isn't triggered every time the API receives the pre-flight OPTIONS call fixing the issue of the unwanted pop-up authentication.
Here are some blog post for reference about pre-flight requests:
link 1
link 2
Thanks for following up with an explanation! :)