Make Header-based auth compatible with http-auth protected (staging) sites

Created on 14 October 2025, 13 days ago

Problem/Motivation

When using the Header authorization plugin with Entity Share, HTTP basic authentication credentials embedded in the remote URL (e.g., https://username:password@example.com) are not properly extracted and used by the HTTP client.

This creates issues when remote sites are protected by HTTP basic authentication (such as staging environments protected by .htaccess), because even though the credentials are included in the URL configuration, the resulting HTTP requests fail with 401 Unauthorized errors.

The Header plugin currently uses the full URL (including any embedded credentials) as the base_uri for Guzzle, but Guzzle requires basic auth credentials to be passed separately via the auth option to work correctly.

Steps to reproduce

Set up a remote Drupal site protected with HTTP basic authentication (e.g., via .htaccess with username/password)
Configure an Entity Share remote with a URL that includes basic auth credentials: https://username:password@example.com:port
Configure the remote to use the Header authorization plugin (e.g., for API key authentication)
Navigate to the Entity Share pull interface and try to open a channel
Observe a 401 Unauthorized error when attempting to fetch content from the JSON:API endpoints

Proposed resolution

Modify the Header authorization plugin's getClient() and getJsonApiClient() methods to:

Parse the URL to extract any embedded HTTP basic auth credentials (username and password)
If credentials are found, pass them to Guzzle via the auth option
Remove the credentials from the URL before setting it as base_uri

This approach allows the Header plugin to support both custom header-based authorization (like API keys) and HTTP basic authentication simultaneously, which is a common requirement for staging/production environments.

Remaining tasks

Review the patch
Test the changes with a site protected by HTTP basic authentication
Commit the fix

User interface changes

None.

API changes

None. This is an internal implementation change that maintains backward compatibility.

Data model changes

None.

📌 Task

Status

Active

Version

3.0

Component

Code

Created by

🇭🇺Hungary aron novak Hungary, Budapest

Live updates comments and jobs are added and updated live.

authentication

Incomplete comments

Merge Requests

!157Make Header-based auth compatible with http-auth protected (staging) sites
Open
🇭🇺Hungary aron novak
updated 13 days ago

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Merge request !157Issue #3552049: Support HTTP basic auth in Header authorization plugin → (Open) created by aron novak
Pipeline finished with Success
13 days ago
Total: 913s
#627606

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024