I'm attempting to deploy a personal instance of the application found at https://github.com/cogentapps/chat-with-gpt on my VPS and wish to secure it using basic authentication. My Caddyfile is configured as follows:
chat.domain.name {
basicauth {
user pwd_hash
}
reverse_proxy chat-service:3000
}
The Docker configuration is set up correctly and the application runs smoothly without basic authentication. However, when basic authentication is enabled, although the initial page load prompts for credentials and proceeds successfully, I encounter issues with subsequent requests.
The "/manifest.json" fails to load, resulting in a 401 error. Curiously, if I access the URL directly, it loads without prompting for credentials again. All other files are loaded correctly, I can register a user, log in and log out, etc.
The main issue is that any calls to the completion API are met with repeated authentication pop-ups that never resolve, even after entering the correct credentials the popup is being shown again. In the browser's developer tools, these requests do not seem to receive a response and are eventually timed out by the application.
The request is being made from here: https://github.com/cogentapps/chat-with-gpt/blob/c75663bf9050735ffe5b8e1fe042db2b1095b47e/app/src/core/utils/sse.ts#L52C18-L52C18
Why is the browser failing to attach authentication headers for requests to the same domain after the initial prompt?
Additionally, are there alternative methods to secure the application that does not involve modifying its source code?