keystonejs/keystone
Voir sur GitHub`statelessSessions` attempts to use unsupported `Authorization: Basic` header rather than the cookie
Open
#9 785 ouverte le 6 mars 2026
discussiondocumentationhelp wanted
Métriques du dépôt
- Stars
- (14 870 stars)
- Métriques de merge PR
- (Merge moyen 8j 20h) (13 PRs mergées en 30 j)
Description
When deploying a Keystone app to a staging environment hidden behind a reverse proxy (like Nginx or Caddy) with HTTP Basic Authentication, Admin UI access breaks (Access denied), even if the user logs in correctly and has a valid keystonejs-session cookie.
Steps to reproduce:
- Setup a Keystone app using
statelessSessions. - Put the app behind a proxy that requires Basic Auth, passing the
Authorization: Basic ...header down to the Node.js backend. - Log in to the Admin UI successfully (the cookie is set in the browser).
- Refresh the page or try to access
adminMeta. - Result:
Access deniedbecausecontext.sessionbecomesundefined.
Expected behaviour:
Keystone should ignore Authorization: Basic ... headers and correctly fallback to parsing the keystonejs-session cookie.
Node.js - v22.13.0 keystone-6/auth - 8.1.0 keystone-6/core - 6.5.1