[RTCHTTPRequestHandler] http request sent twice when server returns 'www-authenticate'

[aprock]

Results
When using the fetch api against an http server that returns 'www-authenticate' in the response headers, requests are immediately repeated.

Expected
When running the same fetch in a node.js program, using node-fetch, only one request is sent.

Details
I sent a simple fetch request, something like...

fetch(url)
  .then((response) => response.text())
  .then((responseText) => {
    console.log(responseText);
  })
  .catch((error) => {
    console.warn(error);
  });

To a test server that returns 'www-authenticate'
https://gist.github.com/aprock/e21ed771ff285f5992fc

The server logs two identical requests for that single fetch, within milliseconds of each other.
These are the log snippets from a simple web server I built to show this.

401 refused Fri Aug 07 2015 10:30:23 GMT-0700 (PDT) (1438968623728)
...
401 refused Fri Aug 07 2015 10:30:23 GMT-0700 (PDT) (1438968623732)

Investigation
I did some digging into what would cause this, and have hit a wall. It seems that the Foundation Framework is handling the challenge itself. (NSURLSessionAuthChallengePerformDefaultHandling), however when I try to add - URLSession:task:didReceiveChallenge:completionHandler: to RTCHTTPRequestHandler.m, and override the NSURLSessionAuthChallengeDisposition value...ANY values sent to the completionHandler will still trigger this replay.

[alexeylang]

I've investigated the issue. Looks like it's not a bug of React Native. The reason is in the behaviour of NSURLSession. I've created new empty project with NSURLSession code only and the issue is reproduced. The response of first request is handled in didReceiveChallenge: delegate method by receiving challenge.failureResponse. And response for the second request is handled in didReceiveResponse: delegate method. I think it may be handled by developer depends on specific implementation of delegate methods. I see the same behaviour when I send request by AFNetworking.

[aprock]

Thanks for investigating, I wanted to put something up here if anyone else has a similar issue with this flow. The 3rd party webserver I'm connecting to runs on an embedded device, and the second request causes it problems.

My current workaround is to add a category to RCTHTTPRequestHandler that cancel's the task.

- (void)URLSession:(NSURLSession *)session
              task:(NSURLSessionTask *)task
didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge
 completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition,
                             NSURLCredential *credential))completionHandler
{
    // just drop the session, since calling completionHandler causes another request to be sent
    [task cancel];
}

The fetch api pollyfill doesn't seem to have a good path for overriding credentials, however a more permanent fix might be to enable some customization around this.