Skip to content

Missing WWW-Authenticate header in 401 responses #376

Description

@dwightgunning

Output of rest-server --version

rest-server version rest-server 0.12.1 compiled with go1.20.5 on linux/arm64

Problem description / Steps to reproduce

dwight@chadwick:~ $ wget --user=dwight --ask-password http://<snip>:<snip>/config
Password for user ‘dwight’:
--2025-12-11 17:23:39--  http://<snip>:<snip>/config
Resolving <snip> (<snip>)... <snip>
Connecting to <snip> (<snip>)|<snip>|:<snip>... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Unknown authentication scheme.

Username/Password Authentication Failed.

Note the unknown authentication scheme.

Expected behavior

Per the HTTP spec, the 401 response should include a WWW-Authenticate header. This facilitates a challenge-response flow to negotiate authentication.

Actual behavior

dwight@chadwick:~ $ wget -S http://<snip>:<snip>/config
--2025-12-11 17:21:32--  http://<snip>:<snip>/config
Resolving volta.cinnamon-snake.ts.net (volta.cinnamon-snake.ts.net)... <snip>
Connecting to <snip> (<snip>)|<snip>|:<snip>... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 401 Unauthorized
  Content-Type: text/plain; charset=utf-8
  X-Content-Type-Options: nosniff
  Date: Thu, 11 Dec 2025 17:21:33 GMT
  Content-Length: 13

Username/Password Authentication Failed.

Note the lack of a WWW-Authenticate response header.

Do you have any idea what may have caused this?

No.

Did rest-server help you today? Did it make you happy in any way?

rest-server is a great compliment to restic and an essential component in my backup solution.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions