fix(web): stop credential prompt loop with text/plain 401 + manifest credentials#24829
Open
rmk40 wants to merge 3 commits intoanomalyco:devfrom
Open
fix(web): stop credential prompt loop with text/plain 401 + manifest credentials#24829rmk40 wants to merge 3 commits intoanomalyco:devfrom
rmk40 wants to merge 3 commits intoanomalyco:devfrom
Conversation
hono's basicAuth middleware returns its 401 response without setting a Content-Type header. Bun's HTTP serializer fills the missing slot with `application/octet-stream`, which Chromium briefly treats as a download-attachment trigger before settling on the basic-auth dialog. The race produces 2-3 dialog flashes before the password field accepts input, and Playwright surfaces it as `Error: Download is starting` on the navigation call. Subresources (favicons, JS bundle, CSS, manifest) each hit basic-auth independently and each get the same octet-stream 401, compounding the loop. Wrap the basicAuth call in AuthMiddleware so a 401 response with no Content-Type gets `text/plain; charset=utf-8` added before being re-thrown. Authenticated requests are unaffected. Verified by: - `curl -i http://localhost:<port>/` now returns `content-type: text/plain; charset=utf-8` on the 401. - `bun typecheck` and `bun test` clean from packages/opencode.
Web manifests are fetched in a no-CORS mode that does not include the page's basic-auth credentials by default. With OPENCODE_SERVER_PASSWORD set, an authenticated user still sees `Manifest fetch ... failed, code 401` errors on every reload, and the browser issues a separate auth dialog for the manifest before settling. Adding `crossorigin="use-credentials"` makes the browser send the page's credentials with the manifest request, so the manifest fetch succeeds in the same auth context as the page. When OPENCODE_SERVER_PASSWORD is unset (no auth), this attribute has no effect on the request - the manifest is served unauthenticated as before.
Add a regression test asserting AuthMiddleware's 401 response carries `text/plain` Content-Type (never `octet-stream`) and preserves `WWW-Authenticate`. The new test file exercises AuthMiddleware directly through a minimal Hono app, covering: - Missing credentials -> 401, Content-Type contains text/plain, never octet-stream, WWW-Authenticate present. - Wrong credentials -> same shape. - Correct credentials -> 200 passes through. - No password set -> 200 passes through. - OPTIONS preflight bypasses auth. - auth_token query parameter accepted as credentials. Verified the missing/wrong-credential tests fail against pre-fix code and pass post-fix (6/6). Closes anomalyco#18325
Contributor
|
The following comment was made by an LLM, it may be inaccurate: Potential duplicate found:
Recommend reviewing PR #19302 to ensure no duplication of the manifest credentials fix. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue for this PR
Closes #18325
Type of change
What does this PR do?
When
OPENCODE_SERVER_PASSWORDis set, the basic-auth dialog flashes2-3 times before the password field accepts input. Two independent
causes; both fixed here.
1. 401 response has no
Content-Type.hono/basic-authbuildsits 401 with only
WWW-Authenticateset. Bun fills the missing slotwith
application/octet-stream, and Chromium briefly treats theunauth response as a download attachment — that race produces the
flash-and-reset.
AuthMiddlewarenow addstext/plain; charset=utf-8to a 401 with no Content-Type before re-throwing.
2. Webmanifest is fetched without page credentials.
<link rel="manifest">is fetched in a no-CORS mode that does not includebasic-auth credentials. Even after authenticating, the browser issues
a separate dialog for the manifest and logs
Manifest fetch ... failed, code 401. Addingcrossorigin="use-credentials"makes thefetch carry the page's credentials. Same-origin, so no CORS preflight;
no effect when
OPENCODE_SERVER_PASSWORDis unset.How did you verify your code works?
From
packages/opencode:bun test test/server/auth-middleware.test.ts— 6/6 pass. The newtest mounts
AuthMiddlewareon a minimal Hono app and asserts the401 carries
text/plain(neveroctet-stream) and preservesWWW-Authenticate, plus authenticated / no-password / OPTIONS /auth_tokenpaths. Confirmed it fails against pre-fix code.bun typecheckclean.curl -i http://localhost:<port>/returnscontent-type: text/plain; charset=utf-8on the 401.Screenshots / recordings
N/A
Checklist