wireproxy icon indicating copy to clipboard operation
wireproxy copied to clipboard
verified publisher icon pufferffish

Fix HTTP proxy authentication to support both preemptive and challenge-response auth

Open lhpalacio opened this issue 1 year ago • 0 comments

The current HTTP proxy authentication implementation works with clients that use preemptive authentication (like curl) but fails with clients expecting a challenge-response flow (such as Puppeteer and web browsers).

Solution:

  1. Immediately returning a 407 Proxy Authentication Required status when no auth header is present.
  2. Adding a Proxy-Authenticate header to 407 responses, prompting clients to provide credentials.

Testing with Puppeteer:

Should fail before the change and pass after the fix

const puppeteer = require('puppeteer');

(async () => {
  const browser = await puppeteer.launch({
    args: [`--proxy-server=http://0.0.0.0:25345`],
  });

  const page = await browser.newPage();
  await page.authenticate({
    username: 'username',
    password: 'password',
  });

  await page.goto('https://httpbin.org/ip');
  const body = await page.waitForSelector('body');
  const ip = await body.getProperty('textContent');
  console.log(await ip.jsonValue());

  await browser.close();
})();

lhpalacio avatar Aug 28 '24 20:08 lhpalacio