I am using CakePHP as a REST API for a single-page app.
Every request gets authenticated and authorized before proceeding.
The problem is, on logging in, if the credentials are wrong, Cake returns 401 and the browser shows its own server log in a popup.
I believe there is a way to stop it by unsetting the WWW-authenticate header, but I need to know how. Can someone explain how to unset that header?
The headers are being set in the \Cake\Auth\BasicAuthenticate authentication adapter.
https://github.com/cakephp/cakephp/blob/3.0.11/src/Auth/BasicAuthenticate.php#L85-L110
It's hardcoded, so if you want to change this behavior, you'll have to create a custom/extended authentication adapter and override this behavior.
Here's a quick example:
src/Auth/MyCustomBasicAuthenticate.php
namespace App\Auth;
use Cake\Auth\BasicAuthenticate;
use Cake\Network\Exception\UnauthorizedException;
use Cake\Network\Request;
use Cake\Network\Response;
class MyCustomBasicAuthenticate extends BasicAuthenticate
{
public function unauthenticated(Request $request, Response $response)
{
throw new UnauthorizedException();
}
}
Controller
$this->loadComponent('Auth', [
'authenticate' => [
'MyCustomBasic'
]
]);
See also