express-basic-auth icon indicating copy to clipboard operation
express-basic-auth copied to clipboard
verified publisher icon LionC

401 responses MUST have a `WWW-Authenticate` header.

Open issuefiler opened this issue 3 years ago • 0 comments

https://github.com/LionC/express-basic-auth/blob/dd17b4de9fee9558269cdc583310bde5331456e7/README.md?plain=1#L137-L140

https://github.com/LionC/express-basic-auth/blob/dd17b4de9fee9558269cdc583310bde5331456e7/index.js#L66-L75

The current default behavior, responding with the status code 401 without the WWW-Authenticate header field, violates RFC 9110. Do you have any particular reasons for the decision on the default behavior that is not RFC-compliant?

RFC 9110 — HTTP semantics

15.5.2. 401 Unauthorized

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 11.6.1) containing at least one challenge applicable to the target resource.

Suggestion

I suggest changing this line

https://github.com/LionC/express-basic-auth/blob/dd17b4de9fee9558269cdc583310bde5331456e7/index.js#L30

to

const challenge = !!(options.challenge ?? true);

, and accordingly the documentation as well.

issuefiler avatar Dec 02 '22 21:12 issuefiler