github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-08 13:49:15 -05:00
Code Issues 564 Packages Projects Releases 72 Wiki Activity

[PR #1951] [MERGED] Fix: Extend Basic Auth compatibility with browsers #1698 #2778

New Issue
Closed
opened 2026-04-16 09:35:58 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-16 09:35:58 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/1951
Author: @jln-brtn
Created: 12/1/2025
Status: Merged
Merged: 12/20/2025
Merged by: @oschwartz10612

Base: devHead: dev

📝 Commits (1)

  • 46ed27a Fix: Extend Basic Auth compatibility with browsers

📊 Changes

31 files changed (+527 additions, -300 deletions)

View changed files

📝 messages/bg-BG.json (+2 -0)
📝 messages/cs-CZ.json (+2 -0)
📝 messages/de-DE.json (+2 -0)
📝 messages/en-US.json (+2 -0)
📝 messages/es-ES.json (+2 -0)
📝 messages/fr-FR.json (+19 -17)
📝 messages/it-IT.json (+2 -0)
📝 messages/ko-KR.json (+2 -0)
📝 messages/nb-NO.json (+2 -0)
📝 messages/nl-NL.json (+2 -0)
📝 messages/pl-PL.json (+2 -0)
📝 messages/pt-PT.json (+2 -0)
📝 messages/ru-RU.json (+2 -0)
📝 messages/tr-TR.json (+2 -0)
📝 messages/zh-CN.json (+2 -0)
📝 server/db/pg/schema/schema.ts (+9 -0)
📝 server/db/queries/verifySessionQueries.ts (+12 -2)
📝 server/db/sqlite/schema/schema.ts (+122 -111)
📝 server/lib/blueprints/proxyResources.ts (+52 -27)
📝 server/lib/blueprints/types.ts (+2 -1)

...and 11 more files

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

This PR is related to the issue #1698
TL;DR : The current implementation only works with clients that include the Authorization header in the first request (like curl or Postman). Web Browser and Jellyfin don't, redirecting users to the pangolin login page.

image

I added an extended compatibility switch. Activating this feature will force a challenge during the verification process by sending a 401 response.

How to test?

  1. Navigate to the management UI and edit a resource.
  2. Enable the new "Header Authentication" option.
  3. Enter a desired username, password, enable extended compatibility and save the configuration.
  4. Send a request to the resource's URL using cURL with the correct credentials: curl -u "username:password" https://play.example.com. The request should be successful (e.g., HTTP 200 OK) and the resource content should be returned.
  5. Send a request with incorrect credentials: curl -u "username:wrongpassword" https://play.example.com. The request should be redirected to the standard pangolin login page.
  6. Send a request without credentials from a new browser session. The request should be redirected to the traditional pangolin login.
  7. Send a request with credentials from a new browser session (http://user:password@my.example.com). The request should be successful (e.g., HTTP 200 OK) and the resource content should be returned.
  8. Remove the "Header Authentication" option and send a request with the correct credentials. The request should be redirected to the traditional Pangolin login.

Note

This code requires a modification to Badger. It was submitted as pull request #16.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/1951 **Author:** [@jln-brtn](https://github.com/jln-brtn) **Created:** 12/1/2025 **Status:** ✅ Merged **Merged:** 12/20/2025 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `dev` ← **Head:** `dev` --- ### 📝 Commits (1) - [`46ed27a`](https://github.com/fosrl/pangolin/commit/46ed27a218569f784b3cd4869c4453cac44a6ab5) Fix: Extend Basic Auth compatibility with browsers ### 📊 Changes **31 files changed** (+527 additions, -300 deletions) <details> <summary>View changed files</summary> 📝 `messages/bg-BG.json` (+2 -0) 📝 `messages/cs-CZ.json` (+2 -0) 📝 `messages/de-DE.json` (+2 -0) 📝 `messages/en-US.json` (+2 -0) 📝 `messages/es-ES.json` (+2 -0) 📝 `messages/fr-FR.json` (+19 -17) 📝 `messages/it-IT.json` (+2 -0) 📝 `messages/ko-KR.json` (+2 -0) 📝 `messages/nb-NO.json` (+2 -0) 📝 `messages/nl-NL.json` (+2 -0) 📝 `messages/pl-PL.json` (+2 -0) 📝 `messages/pt-PT.json` (+2 -0) 📝 `messages/ru-RU.json` (+2 -0) 📝 `messages/tr-TR.json` (+2 -0) 📝 `messages/zh-CN.json` (+2 -0) 📝 `server/db/pg/schema/schema.ts` (+9 -0) 📝 `server/db/queries/verifySessionQueries.ts` (+12 -2) 📝 `server/db/sqlite/schema/schema.ts` (+122 -111) 📝 `server/lib/blueprints/proxyResources.ts` (+52 -27) 📝 `server/lib/blueprints/types.ts` (+2 -1) _...and 11 more files_ </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description This PR is related to the issue #1698 TL;DR : The current implementation only works with clients that include the Authorization header in the first request (like curl or Postman). Web Browser and Jellyfin don't, redirecting users to the pangolin login page. <img width="1899" height="1333" alt="image" src="https://github.com/user-attachments/assets/b0b11ff1-c9d5-4ab2-80dc-89a30199f82f" /> I added an extended compatibility switch. Activating this feature will force a challenge during the verification process by sending a 401 response. ## How to test? 1. Navigate to the management UI and edit a resource. 2. Enable the new "Header Authentication" option. 3. Enter a desired username, password, enable extended compatibility and save the configuration. 4. Send a request to the resource's URL using cURL with the correct credentials: curl -u "username:password" https://play.example.com. The request should be successful (e.g., HTTP 200 OK) and the resource content should be returned. 5. Send a request with incorrect credentials: curl -u "username:wrongpassword" https://play.example.com. The request should be redirected to the standard pangolin login page. 6. Send a request without credentials from a new browser session. The request should be redirected to the traditional pangolin login. 7. Send a request with credentials from a new browser session (http://user:password@my.example.com). The request should be successful (e.g., HTTP 200 OK) and the resource content should be returned. 8. Remove the "Header Authentication" option and send a request with the correct credentials. The request should be redirected to the traditional Pangolin login. ## Note This code requires a modification to Badger. It was submitted as [pull request #16](https://github.com/fosrl/badger/pull/16). --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-16 09:35:58 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#2778
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?