You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The response contains the "WWW-Authenticate" header, which triggers a basic auth prompt in my browser.
Expected behavior
Because I have http_authenticatable_on_xhr set to false, I should not receive any prompt, just a 401 error that my javascript can then handle.
Problem / Solution
Devise uses Rack::Request#xhr? to decide whether a request is xhr / "ajax" or not. Rack in turn uses the value of the X-Requested-With HTTP header, which is not set by fetch or either of the two request libraries I looked at (axios, apollo client.)
I don't think it's a very useful way, as of 2023, to detect whether a request was initiated from javascript.
However, this detection seems non-trivial and maybe not something devise wants to be in the business of, so the shape of a good solution might be:
Update the documentation to indicate that http_authenticatable_on_xhr probably won't do what you want.
Add a new config setting http_auth_header (or something) that defaults to true, and, if set to false, always disables the "WWW-Authenticate" header. This probably is what most users want out of http_authenticatable_on_xhr, as it will disable the prompt for "ajax" requests (where you don't want it) and API request (where you don't need it.)
Happy to look into this a bit more and submit a PR!
Workarounds
Use a custom failure app:
# lib/my_failure_app.rbclassMyFailureApp < Devise::FailureApp# Force devise not to send the WWW-Authenticate header (which pops up a# basic auth prompt) on fetch requests (or ever.)defhttp_auth_header?falseendend# config/initializers/devise.rbrequire"devise/my_failure_app"Devise.setupdo |config|
# ...config.wardendo |manager|
manager.failure_app=MyFailureAppend# ...end
Maybe: Add X-Requested-With: XMLHttpRequest header to outgoing HTTP requests from javascript.
The text was updated successfully, but these errors were encountered:
Environment
Current behavior
I add the following to my devise configuration:
When making a request
The response contains the "WWW-Authenticate" header, which triggers a basic auth prompt in my browser.
Expected behavior
Because I have
http_authenticatable_on_xhrset to false, I should not receive any prompt, just a 401 error that my javascript can then handle.Problem / Solution
Devise uses
Rack::Request#xhr?to decide whether a request is xhr / "ajax" or not. Rack in turn uses the value of theX-Requested-WithHTTP header, which is not set by fetch or either of the two request libraries I looked at (axios, apollo client.)I don't think it's a very useful way, as of 2023, to detect whether a request was initiated from javascript.
However, this detection seems non-trivial and maybe not something devise wants to be in the business of, so the shape of a good solution might be:
http_authenticatable_on_xhrprobably won't do what you want.http_auth_header(or something) that defaults to true, and, if set to false, always disables the "WWW-Authenticate" header. This probably is what most users want out ofhttp_authenticatable_on_xhr, as it will disable the prompt for "ajax" requests (where you don't want it) and API request (where you don't need it.)Happy to look into this a bit more and submit a PR!
Workarounds
X-Requested-With: XMLHttpRequestheader to outgoing HTTP requests from javascript.The text was updated successfully, but these errors were encountered: