OWASP ZAP against Netlify password protected site

Question

I need to run OWASP ZAP against one of our sites running on Netlify, but it is password protected (see screenshot for what I mean). For those who don't know how it works, when you visit the site, Netlify returns a 401 with the response of the request being the form. The form takes a password (input name is password) and POSTs it to the same URL (so https://myapp.netlify.app/ returns 401 and then the form POSTs it to https://myapp.netlify.app). I've created the context that should work, but I don't think it likes the 401 being returned as the same URL as the POST.

I'm sure I'm just doing a really stupid thing, but here is the relevant snippet from the config:

<authentication>
    <type>2</type>
    <strategy>EACH_RESP</strategy>
    <pollurl/>
    <polldata/>
    <pollheaders/>
    <pollfreq>60</pollfreq>
    <pollunits>REQUESTS</pollunits>
    <form>
        <loginurl>https://myapp.netlify.app</loginurl>
        <loginbody>password={%password%}</loginbody>
        <loginpageurl>https://myapp.netlify.app</loginpageurl>
    </form>
</authentication>

I also tried this snippet, in case it required the username (the UI kept enforcing the use of username):

<authentication>
    <type>2</type>
    <strategy>EACH_RESP</strategy>
    <pollurl/>
    <polldata/>
    <pollheaders/>
    <pollfreq>60</pollfreq>
    <pollunits>REQUESTS</pollunits>
    <form>
        <loginurl>https://myapp.netlify.app</loginurl>
        <loginbody>username={%username%}&amp;password={%password%}</loginbody>
        <loginpageurl>https://myapp.netlify.app</loginpageurl>
    </form>
</authentication>

Answer 1

School boy error. I had everything configured properly, but wasn't providing the user (I thought the forced user would be picked up).

Running zap-baseline.py -t https://myapp.netlify.app/ -r testreport.html -n /zap/wrk/myapp.context -U testuser works.