Authenticate Header
Authenticate Header 0n13b
π¨βπΌ In EpicMe, the
Authorization header is the gatekeeper for every journal entry. Its job is simple but critical: make sure that only requests with valid credentials can access or change journal data. If a request doesn't include this header, it shouldn't get throughβno exceptions. Once the client has an auth token, it'll send that token in the Authorization header. If that header doesn't exist, then we know they don't have a token and shouldn't be able to access our server.But we can help them out by telling them what they need to do to get access. This is where the
WWW-Authenticate header comes in. It tells the client what kind of authentication is required.For example, if someone tries to fetch
/api/secret-sandwich-recipes without authenticating, the server should respond with a clear message and a WWW-Authenticate header:const hasToken = request.headers.get('authorization')
if (!hasToken) {
return new Response('Unauthorized', {
status: 401,
headers: {
'WWW-Authenticate': 'Bearer',
},
})
}
This check is the first and most basic requirement for a secure journal app. The
WWW-Authenticate header in the response tells the client what kind of credentials are needed to try again.If a request is missing the
Authorization header, always include the
WWW-Authenticate header in your 401 response. This helps clients know how to
try again.Without this check, nothing else about security matters. Make sure every request is challenged at the door.
If you're experiencing issues when clicking "Connenct" in the inspector,
double-check the "Authentication" dropdown. Clicking that will show you a UI
for custom headers and if there's a custom "Authentication" header, it could
be messing with your connection request. Delete that header and the inspector
will add the correct "Authorization" header for you automatically.
π For more details, see the MDN documentation on WWW-Authenticate.