try to only set the www-authenticate header on non-interactive sessions

Holusion · Sep 21, 2023 · 1ce7c80 · 1ce7c80
1 parent 166b157
commit 1ce7c80
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/source/server/server.ts b/source/server/server.ts
@@ -205,7 +205,10 @@ export default async function createServer(config = defaultConfig) :Promise<expr
     }
     let code = (error instanceof HTTPError )? error.code : 500;
 
-    if(code === 401){
+    if(code === 401 && !(req.get("Accept")?.startsWith("text/html") && req.get("User-Agent")?.startsWith("Mozilla"))){
+      //We try to NOT send the header for browser requests because we prefer the HTML login to the browser's popup
+      //Browser tends to prefer text/html and always send Mozilla/5.0 at the beginning of their user-agent
+      //If someone has customized their headers, they'll get the ugly popup and live with it.
       res.set("WWW-Authenticate", "Basic realm=\"authenticated access\"");
     }