Skip to content

Fix: Extend Basic Auth compatibility with browsers #1698 #1951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jln-brtn wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Fix: Extend Basic Auth compatibility with browsers #1698 #1951

jln-brtn wants to merge 1 commit into from
+527 −300

Conversation

@jln-brtn
Copy link

@jln-brtn jln-brtn commented Dec 1, 2025
edited
Loading

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

This PR is related to the issue #1698
TL;DR : The current implementation only works with clients that include the Authorization header in the first request (like curl or Postman). Web Browser and Jellyfin don't, redirecting users to the pangolin login page.

image

I added an extended compatibility switch. Activating this feature will force a challenge during the verification process by sending a 401 response.

How to test?

  1. Navigate to the management UI and edit a resource.
  2. Enable the new "Header Authentication" option.
  3. Enter a desired username, password, enable extended compatibility and save the configuration.
  4. Send a request to the resource's URL using cURL with the correct credentials: curl -u "username:password" https://play.example.com. The request should be successful (e.g., HTTP 200 OK) and the resource content should be returned.
  5. Send a request with incorrect credentials: curl -u "username:wrongpassword" https://play.example.com. The request should be redirected to the standard pangolin login page.
  6. Send a request without credentials from a new browser session. The request should be redirected to the traditional pangolin login.
  7. Send a request with credentials from a new browser session (http://user:[email protected]). The request should be successful (e.g., HTTP 200 OK) and the resource content should be returned.
  8. Remove the "Header Authentication" option and send a request with the correct credentials. The request should be redirected to the traditional Pangolin login.

Note

This code requires a modification to Badger. It was submitted as pull request #16.

This was referenced Dec 1, 2025
Open
Open
@oschwartz10612
Copy link
Member

oschwartz10612 commented Dec 6, 2025

Thank you so much for working on this @jln-brtn. I am going to try to review this ASAP for the next release after 1.13.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jln-brtn @oschwartz10612