keystonejs/keystone

`statelessSessions` attempts to use unsupported `Authorization: Basic` header rather than the cookie

Open

#9785 opened on Mar 6, 2026

View on GitHub
 (2 comments) (0 reactions) (1 assignee)JavaScript (14,870 stars) (2,386 forks)batch import
discussiondocumentationhelp wanted

Description

When deploying a Keystone app to a staging environment hidden behind a reverse proxy (like Nginx or Caddy) with HTTP Basic Authentication, Admin UI access breaks (Access denied), even if the user logs in correctly and has a valid keystonejs-session cookie.

Steps to reproduce:

  1. Setup a Keystone app using statelessSessions.
  2. Put the app behind a proxy that requires Basic Auth, passing the Authorization: Basic ... header down to the Node.js backend.
  3. Log in to the Admin UI successfully (the cookie is set in the browser).
  4. Refresh the page or try to access adminMeta.
  5. Result: Access denied because context.session becomes undefined.

Expected behaviour: Keystone should ignore Authorization: Basic ... headers and correctly fallback to parsing the keystonejs-session cookie.

Node.js - v22.13.0 keystone-6/auth - 8.1.0 keystone-6/core - 6.5.1

Contributor guide

Tech stack
javascriptnodejs
Domain
backendauthentication
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Node.jsHTTPCookies
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
The bug is in the `statelessSessions` implementation. Look at how Keystone parses the `Authorization` header and falls back to the cookie. Check the session middleware code in the Keystone source, likely in packages/auth/ or packages/core/. The issue has been assigned to a contributor, so any new contributor should coordinate with them. There are no linked PRs yet, but the reproduction steps are clear.