Prevent WWW-Authenticate header

[awdrius]

Hi,

I'm not sure I'm approaching this right, but when using restify with restify-oauth2 to secure an api endpoint for Web app - I'm getting a login dialog (at least on Chrome). To battle that I forked and added a new option noWwwAuthenticate next to the tokenEndpoint, wwwAuthenticateRealm, etc. and then I have a logic to not set appropriate header in makeErrorSenders.js (for both setWwwAuthenticateHeader and setWwwAuthenticateHeaderWithoutErrorInfo). I think I overlooked something in the docs or/and usage specs. Do reckon there is a proper approach to it?

In case you find this useful - I can create a pull request.

[gmaniac]

if your branch is public post a link I will pull down that and give it a look

[awdrius]

Sure. Here it goes: https://github.com/awdrius/restify-oauth2

[gmaniac]

Sorry for the delay.

I am a little confused as to what you are trying to do exactly. Could you give me a use case please?

Could you give an example of your request that you are getting a login dialog box from chrome with?

[awdrius]

Hey, no worries, we are all busy.

I'm using your library to authenticate API calls from a JS script. I do that automatically upon user entering the website. If auth call fails - Chrome popups a standard login popup to enter username and password. I do not want that as handling failed logins is a part of JS functionality.

The best description of the issue can be read here:
http://stackoverflow.com/questions/86105/how-can-i-supress-the-browsers-authentication-dialog

[gmaniac]

I will add this in, I was thinking of adding it as an option like tokenExpiration. When it is left blank it will be false and act as it does now. If you pass true it will prepend X- onto Basic which should suppress the popup.

Let me know what you think.

I was going off of this issue as well: #27

[awdrius]

Hey, sorry for the late reply, under tons of work to do here.

I haven't investigated the X- suffix cross-browser behavior. It would not surprise me that the auth header forces cred. dialog on Chrome only. I think I noticed that there is a trend towards it from my app log files.

I'll pull the latest changes/fixes on one of the test servers and will let you know how it went.

[awdrius]

I checked it and X-Basic workaround would work well here. It's up to you how you want to handle it.

Btw, just wanted to thank you guys for creating an easy to use OAuth2 library.

[gmaniac]

All the thanks goes to @domenic he created this package, I am just helping maintain.

I am currently working on making this package compatible with restify 4.x I am fixing some tests and then I can add these feature in. Probably be within the next two weeks unless you would like to submit a pull request?

[awdrius]

I'll see if I can help but I'm not certain I can be that fast (-.