express-basic-auth icon indicating copy to clipboard operation
express-basic-auth copied to clipboard
verified publisher icon LionC

Custom authorizer is not called without Authorization header

Open CSantosM opened this issue 3 years ago • 2 comments

The custom authorizer is not called if my request has not Authorization header and the request is rejected automaticaly with "401 NO AUTHORIZED" message which is not what I was expected.

This forces me to have to use dummy auth data with the aim of invoked my custom authorized.

I would like the custom authorized is called without refusing the request even if the header is empty because that is precisely the work of the custom authorized, reject or allow each request, isn't it?

Why is the reason for this decision?

CSantosM avatar Sep 30 '22 15:09 CSantosM

Did you solve this? Same issue here.

ViniMnzs avatar Jan 06 '23 01:01 ViniMnzs

The idea was that if something is protected by auth, it requires auth. If certain routes do not need authentication, try to attach the middleware only to those that should be protected.

Otherwise, it might be tricky to add this as an option without breaking at least types, so enabling the behaviour you want might need to wait for a v2.0.

LionC avatar Sep 28 '23 13:09 LionC