[GH-ISSUE #7828] [Bug]: Intermittent failure to sync when using HTTP Basic Auth #72951

Open
opened 2026-05-16 13:58:17 -05:00 by GiteaMirror · 0 comments
Owner

Originally created by @danielkauffman on GitHub (May 13, 2026).
Original GitHub issue: https://github.com/actualbudget/actual/issues/7828

What happened?

I'm using HTTP Basic Auth + X-Actual-Password.

When I request:

https://username:password@example.com

That request negotiates HTTP Auth and partially loads Actual Budget but then stalls (note below how the username and password are included in the URL):

Initializing the connection to the local database…
No server configured [Change](https://username:password@example.com/config-server)

I then refresh to request:

https://example.com

And that loads Actual Budget.

Actual Budget then works and syncs for some time. Eventually, Actual Budget stops syncing, but the browser does not prompt for a username and password and Actual Budget does not show any error message. My best guess is that the HTTP Auth expires, however, requesting:

https://example.com

Does not prompt the browser to request a username and password, which suggests that HTTP Auth is still valid. At that point, I start over with step 1 above, which succeeds.

Three things look strange to me, with the first most likely being the most significant:

  1. When requesting a URL that includes a username and password, the username and password are included in the [Change] URL. I'm wondering whether Actual Budget might be looking for an instance named username:password@example.com instead of example.com, and since the instance name does not include the username and password, fails.
  2. When Actual Budget stops synchronizing, Actual Budget recognizes the loss of sync but doesn't show an error message.
  3. When refreshing after loss of sync, the browser does not prompt for a username and password, which suggests that HTTP Auth is still valid. However, using username:password@example.com to explicitly renegotiate HTTP Auth succeeds, which suggests that HTTP Auth has expired. Perhaps HTTP Auth loses state between server and browser?

I'm running Debian 13 + nginx 1.26.3 + node 20.19.2 and installing Actual Budget using:

npm install @actual-app/sync-server --location=global

I've created a systemd service to start and supervise Actual Budget.

When a request arrives, nginx handles HTTPS and HTTP Auth, sets X-Actual-Password, and proxies the request to Actual Budget.

How can we reproduce the issue?

  1. Enable HTTP Auth.
  2. Request https://username:password@example.com. Observe the failure.
  3. Request https://example.com. Observe success.
  4. Leave the browser window open. Eventually, Actual Budget stops sync, possibly after 24 hours.
  5. Request https://example.com. Observe the failure.
  6. Repeat steps 2-6.

Where are you hosting Actual?

Other

What browsers are you seeing the problem on?

Firefox

Operating System

Linux

Originally created by @danielkauffman on GitHub (May 13, 2026). Original GitHub issue: https://github.com/actualbudget/actual/issues/7828 ### What happened? I'm using HTTP Basic Auth + X-Actual-Password. When I request: https://username:password@example.com That request negotiates HTTP Auth and partially loads Actual Budget but then stalls (note below how the username and password are included in the URL): Initializing the connection to the local database… No server configured [Change](https://username:password@example.com/config-server) I then refresh to request: https://example.com And that loads Actual Budget. Actual Budget then works and syncs for some time. Eventually, Actual Budget stops syncing, but the browser does not prompt for a username and password and Actual Budget does not show any error message. My best guess is that the HTTP Auth expires, however, requesting: https://example.com Does not prompt the browser to request a username and password, which suggests that HTTP Auth is still valid. At that point, I start over with step 1 above, which succeeds. Three things look strange to me, with the first most likely being the most significant: 1. When requesting a URL that includes a username and password, the username and password are included in the [Change] URL. I'm wondering whether Actual Budget might be looking for an instance named `username:password@example.com` instead of `example.com`, and since the instance name does not include the username and password, fails. 2. When Actual Budget stops synchronizing, Actual Budget recognizes the loss of sync but doesn't show an error message. 3. When refreshing after loss of sync, the browser does not prompt for a username and password, which suggests that HTTP Auth is still valid. However, using `username:password@example.com` to explicitly renegotiate HTTP Auth succeeds, which suggests that HTTP Auth has expired. Perhaps HTTP Auth loses state between server and browser? I'm running Debian 13 + nginx 1.26.3 + node 20.19.2 and installing Actual Budget using: npm install @actual-app/sync-server --location=global I've created a systemd service to start and supervise Actual Budget. When a request arrives, nginx handles HTTPS and HTTP Auth, sets X-Actual-Password, and proxies the request to Actual Budget. ### How can we reproduce the issue? 1. Enable HTTP Auth. 2. Request https://username:password@example.com. Observe the failure. 3. Request https://example.com. Observe success. 4. Leave the browser window open. Eventually, Actual Budget stops sync, possibly after 24 hours. 5. Request https://example.com. Observe the failure. 6. Repeat steps 2-6. ### Where are you hosting Actual? Other ### What browsers are you seeing the problem on? Firefox ### Operating System Linux
GiteaMirror added the needs triagebug labels 2026-05-16 13:58:17 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/actual#72951