Fix: Extend Basic Auth compatibility with browsers

2026-02-24 05:46:39 +00:00 · 2025-12-01 01:18:09 +01:00
parent 02fbc279b5
commit 46ed27a218
31 changed files with 527 additions and 300 deletions
--- a/server/routers/resource/setResourceHeaderAuth.ts
+++ b/server/routers/resource/setResourceHeaderAuth.ts
@@ -1,23 +1,24 @@
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import { db, resourceHeaderAuth } from "@server/db";
-import { eq } from "drizzle-orm";
+import {Request, Response, NextFunction} from "express";
+import {z} from "zod";
+import {db, resourceHeaderAuth, resourceHeaderAuthExtendedCompatibility} from "@server/db";
+import {eq} from "drizzle-orm";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import { fromError } from "zod-validation-error";
-import { response } from "@server/lib/response";
+import {fromError} from "zod-validation-error";
+import {response} from "@server/lib/response";
 import logger from "@server/logger";
-import { hashPassword } from "@server/auth/password";
-import { OpenAPITags, registry } from "@server/openApi";
+import {hashPassword} from "@server/auth/password";
+import {OpenAPITags, registry} from "@server/openApi";

 const setResourceAuthMethodsParamsSchema = z.object({
    resourceId: z.string().transform(Number).pipe(z.int().positive())
 });

 const setResourceAuthMethodsBodySchema = z.strictObject({
-        user: z.string().min(4).max(100).nullable(),
-        password: z.string().min(4).max(100).nullable()
-    });
+    user: z.string().min(4).max(100).nullable(),
+    password: z.string().min(4).max(100).nullable(),
+    extendedCompatibility: z.boolean().nullable()
+});

 registry.registerPath({
    method: "post",
@@ -66,21 +67,29 @@ export async function setResourceHeaderAuth(
            );
        }

-        const { resourceId } = parsedParams.data;
-        const { user, password } = parsedBody.data;
+        const {resourceId} = parsedParams.data;
+        const {user, password, extendedCompatibility} = parsedBody.data;

        await db.transaction(async (trx) => {
            await trx
                .delete(resourceHeaderAuth)
                .where(eq(resourceHeaderAuth.resourceId, resourceId));
+            await trx.delete(resourceHeaderAuthExtendedCompatibility).where(eq(resourceHeaderAuthExtendedCompatibility.resourceId, resourceId));

-            if (user && password) {
+            if (user && password && extendedCompatibility !== null) {
                const headerAuthHash = await hashPassword(Buffer.from(`${user}:${password}`).toString("base64"));

-                await trx
-                    .insert(resourceHeaderAuth)
-                    .values({ resourceId, headerAuthHash });
+                await Promise.all([
+                    trx
+                        .insert(resourceHeaderAuth)
+                        .values({resourceId, headerAuthHash}),
+                    trx
+                        .insert(resourceHeaderAuthExtendedCompatibility)
+                        .values({resourceId, extendedCompatibilityIsActivated: extendedCompatibility})
+                ]);
            }
+
+
        });

        return response(res, {