fix: Remove `WWW-Authenticate` header from responses #1790

MoritzWeber0 · 2024-09-11T15:06:00Z

The HTTP specification recommends to send a WWW-Authenticate header with status code 401 for unauthenticated cases. See also the Mozilla documentation page: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401.
We've used that to indicate which authentication methods are available for clients, in our case Basic and Cookie.

While this works fine for Chrome, Safari starts prompting for basic authentication on its own. I haven't found a way to suppress this, so we'll have to remove the WWW-Authenticate header to avoid this behaviour.

Resolves #1788

The HTTP specification recommends to send a `WWW-Authenticate` header with status code 401. We've used that to indicate which authentication methods are available for clients, in our case Basic and Cookie. While this works fine on Chrome, Safari starts prompting for basic authentication on its own. I haven't found a way to suppress, so we'll have to remove the `WWW-Authenticate` header to avoid this behaviour.

codecov · 2024-09-11T15:06:32Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.06%. Comparing base (bc0ea05) to head (b5aa54d).
Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1790   +/-   ##
=======================================
  Coverage   84.06%   84.06%           
=======================================
  Files         186      186           
  Lines        6144     6144           
  Branches      676      676           
=======================================
  Hits         5165     5165           
  Misses        831      831           
  Partials      148      148

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.