keystonejs/keystone

`statelessSessions` attempts to use unsupported `Authorization: Basic` header rather than the cookie

Open

#9.785 aberto em 6 de mar. de 2026

Ver no GitHub
 (2 comments) (0 reactions) (1 assignee)JavaScript (2.386 forks)batch import
discussiondocumentationhelp wanted

Métricas do repositório

Stars
 (14.870 stars)
Métricas de merge de PR
 (Mesclagem média 8d 20h) (13 fundiu PRs em 30d)

Description

When deploying a Keystone app to a staging environment hidden behind a reverse proxy (like Nginx or Caddy) with HTTP Basic Authentication, Admin UI access breaks (Access denied), even if the user logs in correctly and has a valid keystonejs-session cookie.

Steps to reproduce:

  1. Setup a Keystone app using statelessSessions.
  2. Put the app behind a proxy that requires Basic Auth, passing the Authorization: Basic ... header down to the Node.js backend.
  3. Log in to the Admin UI successfully (the cookie is set in the browser).
  4. Refresh the page or try to access adminMeta.
  5. Result: Access denied because context.session becomes undefined.

Expected behaviour: Keystone should ignore Authorization: Basic ... headers and correctly fallback to parsing the keystonejs-session cookie.


Node.js - v22.13.0 keystone-6/auth - 8.1.0 keystone-6/core - 6.5.1

Guia do colaborador