Basic Auth user credentials not being passed with request

[mikecole20]

I'm trying to use the example from NSHipster to do Basic Auth. I form my request like so:

        Alamofire.request(.POST, "https://my.url.com/api/v1/auth")
            .authenticate(HTTPBasic: email, password: password)
            .responseJSON {(request, response, JSON, error) in
                println(request)
                println(response)
                println(JSON)
                println(error)
        }

Email and password are just strings here. I am getting a response suggesting that the credentials aren't attached.

Optional(<NSHTTPURLResponse: 0x7fb699783080> { URL: https://my.url.com/api/v1/auth } { status code: 401, headers {
    Allow = "POST, OPTIONS";
    Connection = "keep-alive";
    "Content-Language" = "en-us";
    "Content-Length" = 59;
    "Content-Type" = "application/json";
    Date = "Mon, 11 Aug 2014 13:34:36 GMT";
    Server = "gunicorn/17.5";
    Vary = "Accept, Accept-Language";
    "Www-Authenticate" = "Basic realm=\"api\"";
    "X-Frame-Options" = SAMEORIGIN;
} })
Optional({
    detail = "Authentication credentials were not provided.";
})

When I make the same request while using AFNetworking, I get a successful 200 response.

        let manager = AFHTTPRequestOperationManager()
        manager.requestSerializer.clearAuthorizationHeader()
        manager.requestSerializer.setAuthorizationHeaderFieldWithUsername(emailTextField.text, password:passwordTextField.text)
        manager.POST(
            "https://my.url.com/api/v1/auth",
            parameters: nil,
            success: { (operation: AFHTTPRequestOperation!,
                responseObject: AnyObject!) in
                println("JSON: " + responseObject.description)
            },
            failure: { (operation: AFHTTPRequestOperation!,
                error: NSError!) in
                println("Error: " + error.localizedDescription)
        })

If I'm making a mistake in my request with AlamoFire, would you mind pointing it out?

[rjsamson]

I'm having the same issue. The example in the README actually doesn't work either.

[mattt]

These are doing different things. Alamofire is creating a credential that will be used during an authentication challenge, whereas AFNetworking is setting the Authorization header in the initial request.

[luketheobscure]

Came here to ask this exact question. @mattt I understand your answer, but maybe update the ReadMe to explain a bit more?

[mikecole20]

Thanks for the clarification @mattt.

I'll explain for anyone else who may be running into this issue. Based on the implementation in AFNetworking, what I need to do is create the Authorization header myself instead of using the current authenticate method. In AFNetworking (and in general) this header should look like this.

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Here, QWxhZGRpbjpvcGVuIHNlc2FtZQ== is username:password after Base64 encoding.

The issue with using AlamoFire over AFNetworking (for now) is that you have to do the Base64 encoding yourself. AFNetworing included an encoding implementation which was called behind the scenes while creating the header. All you had to do is pass in the username and password. That being said, I imagine @mattt or someone will add that functionality into AlamoFire at some point.

[zkirill]

This caught me too. Thank you for explaining! Code below to hopefully save someone else time.

let plainString = "username:password" as NSString
let plainData = plainString.dataUsingEncoding(NSUTF8StringEncoding)
let base64String = plainData?.base64EncodedStringWithOptions(NSDataBase64EncodingOptions.fromRaw(0)!)
Alamofire.Manager.sharedInstance.defaultHeaders["Authorization"] = "Basic " + base64String!

Encoding code adopted from http://ios-blog.co.uk/tutorials/quick-tips/base64-decoding-in-ios-7-objective-c-and-ios8-swift/

[macu]

How about adding a pre-auth param to the authenticate method, with default value false?

For comparison, HttpWebRequest in .NET uses a PreAuthenticate property. I'm porting apps from Xamarin/C# to Swift.

[loopj]

This caught me too.

Many APIs (including GitHub's popular API) do not send the www-authenticate header, and just expect an Authorization header to be sent with any requests, so the current behavior is not ideal.

[loopj]

For future travelers, if you'd like to pre-authorize:

let plainString = "\(user):\(password)" as NSString
let plainData = plainString.dataUsingEncoding(NSUTF8StringEncoding)
let base64String = plainData?.base64EncodedStringWithOptions(NSDataBase64EncodingOptions.fromRaw(0)!)

Alamofire.Manager.sharedInstance.session.configuration.HTTPAdditionalHeaders = ["Authorization": "Basic " + base64String!]

Alamofire.request(.GET, "http://example.com")
    .response {(request, response, _, error) in
        println(response)
    }

[brow]

Update for people seeing @loopj's comment in 2015: the README now notes that

[Modifying the session configuration] is not recommended for Authorization or Content-Type headers. Instead, use URLRequestConvertible and ParameterEncoding, respectively.

[zkirill]

@brow Thanks for the heads up. Can someone please comment on why this is not recommended?

[brow]

I think the idea is that NSURLConnection is designed to manage stateful authorization for you according to RFC 2617 and therefore doesn't expect you to override the Authorization header.

[eraye1]

Just got trolled by this... 👊

[skywinder]

Same thing. 👊 :
Quite confusing after AFNetworking (since I worried, when found, that authenticate called after request), but it's quite unclear for first time usage.

And update for @loopj code in favor of Swift 1.2:

let plainString = "\(user):\(password)" as NSString
let plainData = plainString.dataUsingEncoding(NSUTF8StringEncoding)
let base64String = plainData?.base64EncodedStringWithOptions(NSDataBase64EncodingOptions(rawValue: 0))

Alamofire.Manager.sharedInstance.session.configuration.HTTPAdditionalHeaders = ["Authorization": "Basic " + base64String!]

[cslosiu]

Very helpful post. Save my day!

[tomj]

Thanks @skywinder - @mattt perhaps we could simply point out in the README that the HTTP basic auth challenge in Alamofire is different in nature to setAuthorizationHeaderFieldWithUsername in AFNetworking?

[skywinder]

@mattt I create feature-request #502, that can also solve this confusion in auth behaviours.

[blevine]

Using the Alamofire.Manager.sharedInstance seems a little dangerous if, for example, I'm making multiple requests to different endpoints that require different credentials. Doing preemptive authentication seems like it's common enough to warrant an enhancement to the API. I like @macu's suggestion of adding a PreAuthenticate property or something similar

[joshuaziering]

Just ran into this as well. +1 for Authorization headers....

[raeidsaqur]

As an update to @loopj @skywinder implementation, with AlamoFire > 4.0.0, you can alternatively use the static func authorizationHeader in Request.swift, which conveniently does the encoding for you. Something like:

static func getRequestHttpHeaders() -> HTTPHeaders {
    let authTuple: (key: String, value: String)? = Request.authorizationHeader(user: user, password: password)
    return [authTuple?.key : authTuple?.value, $(OTHER_HEADERS)]
}