Search code examples
authenticationservicestack

Disable BasicAuth fallback


According to the documentation: https://docs.servicestack.net/auth/authentication-and-authorization#authenticating-with.net-service-clients

Although behind-the-scenes it ends up making 2 requests, 1st request sends a normal request which will get rejected with a 401 Unauthorized and if the Server indicates it has the BasicAuthProvider enabled it will resend the request with the HTTP Basic Auth credentials.

We are using the typescript JsonClient:

https://api.locode.dev/classes/client.JsonServiceClient.html#responseFilter

We are using basic auth but on specific endpoints but do not want to fallback to it. Is there a way to disable this fallback ?


Solution

  • Browsers will automatically resend a failed 401 Basic Authenticate which responds with a WWW-Authenticate HTTP Response header.

    You can override OnFailedAuthentication() to prevent it from returning a HttpHeaders.WwwAuthenticate in a custom AuthProvider:

    public virtual Task OnFailedAuthentication(IAuthSession session, IRequest httpReq, IResponse httpRes)
    {
        httpRes.StatusCode = (int)HttpStatusCode.Unauthorized;
        httpRes.AddHeader(HttpHeaders.WwwAuthenticate, "{0} realm=\"{1}\"".Fmt(this.Provider, this.AuthRealm));
        return HostContext.AppHost.HandleShortCircuitedErrors(httpReq, httpRes, httpReq.Dto);
    }