Issues when using workers for basic authentication

I found code online for basic http authentication for visiting certain parts of my site via Cloudflare workers but I’m having issues implementing it.
Here’s the code that I’m using.
The issue is that it works fine on one of my URLs but goes into an authentication loop for all other URLs.
Also noticed that it sends a header different from what I use in the code on the ones in which it fails.

The response headers on the pages where it doesn’t work:


Also, according to the code, the WWW-Authenticate header should have the value Basic realm=“Secure Area” and not Basic realm=“authorize_account”.

Any help is appreciated.

The request headers for that URL:

Response headers on the one URL on which it works:

Request headers for the URL on which it works:

Can you copy/paste the headers into a Peformatted Text Block </>? Much easier than having to retype from an image. You can redact anything sensitive.

1 Like

Request headers for the URLs on which it goes into auth loop:

:authority: b2.flamekiller.org
:method: GET
:path: /file/flamekiller/protected/stats/luminous/10-2021.jpg
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-GB,en-US;q=0.9,en;q=0.8,ja;q=0.7
authorization: Basic <Redacted>
cache-control: no-cache
dnt: 1
pragma: no-cache
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36

I have not been able to replicate with the code you linked to.

There is a more fully featured implementation on the Cloudflare Developer site.

https://developers.cloudflare.com/workers/examples/basic-auth/

The primary difference I can see is in the parsing of the authorization header. Might be worth trying the CF version.

You could also look at using Cloudflare Zero Trust (a.k.a. Cloudflare Access) to protect sensitive areas of the website.

1 Like