[BUG] Basic Auth

[wm-ek]

Basic auth requires both username and password.

There are services, that will have a token as username and that's it.

Due to the validation, we can not authenticate with a service which implemented it that way

Authentication to the API is performed via HTTP Basic Auth. Provide your API key as the basic auth username value. You do not need to provide a password. This is done for every request, not just once.

It would be great to make password optional.

thank you

[HenryHengZJ]

We are changing the authentication method to use JWT based with email & password login. Unfortunately it will be a must by default to set an email & password

[wm-ek]

i was talking about the http node, just to clarify.

where i make a coll to an external api to get some data

@HenryHengZJ

[HenryHengZJ]

ohhh okay got it, does it cause error if you dont have password on the basic auth?

[wm-ek]

@HenryHengZJ yes, i get a 401

[korade-krushna]

Can I pick this issue, as what I understood from the context, we just need to keep username requiured and password as optional in basic auth while calling external services ?

[wm-ek]

@korade-krushna yes, thank you

[korade-krushna]

@wm-ek Do you have any external service which uses username as token in basic auth, which I can use to reproduce the issue

[wm-ek]

@korade-krushna actually not. sorry. i believe postman could capture the request: https://learning.postman.com/docs/sending-requests/capturing-request-data/capture-overview/ or a n8n/make webhook

header should look like
Authorization: Basic <password>

[korade-krushna]

Whatever I got says this is not standard way to ue basic auth @wm-ek , can you point me to the service where you got this error

Authentication to the API is performed via HTTP Basic Auth. Provide your API key as the basic auth username value. You do not need to provide a password. This is done for every request, not just once.

Or could you please paste steps to reproduce this issue

[wm-ek]

@korade-krushna well, i did not develop that api-service.

its not possible to use withoutl licence. however, here are the api docs: https://app.cashctrl.com/static/help/en/api/index.html#auth

[korade-krushna]

@wm-ek
Reproduced your bug with below python server

from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials
from starlette.requests import Request
import secrets

app = FastAPI()
security = HTTPBasic()

# Replace with your actual API key
VALID_API_KEY = "1234567890"

def authenticate(credentials: HTTPBasicCredentials = Depends(security)):
    print(credentials)
    correct_username = secrets.compare_digest(credentials.username, VALID_API_KEY)
    correct_password = credentials.password in (None, "",)  # Accept no password

    if not correct_username or not correct_password:
        print("Invalid API Key")
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid API Key",
            headers={"WWW-Authenticate": "Basic"},
        )
    return credentials.username

@app.get("/api/data")
def read_data(username: str = Depends(authenticate)):
    return {"message": "Access granted", "user": username, "data": "Here's your secure data"}

Tested it with passing only the key(without : in the end) in the username keeping password empty, it works fine