Fix 403 on HTMX fragment requests: AdminAuth Basic Auth sets session key

2026-05-06 11:09:18 +02:00 · 2026-05-04 18:33:27 +02:00
parent 37111eaac4
commit 125c501f40
2 changed files with 15 additions and 1 deletions
--- a/app/src/AdminAuth.php
+++ b/app/src/AdminAuth.php
@@ -78,6 +78,7 @@ class AdminAuth
        }
        // Try to auto-authenticate from the nginx Basic Auth credentials.
        if (isset($_SERVER['PHP_AUTH_PW']) && self::verifyHash($_SERVER['PHP_AUTH_PW'], $storedHash)) {
+            $_SESSION[self::SESSION_KEY] = true;
            return;
        }
        header('Location: ' . self::LOGIN_URL);
@@ -141,7 +142,16 @@ class AdminAuth
        if ($storedHash === null) {
            return true; // No password configured → dev mode.
        }
-        return !empty($_SESSION[self::SESSION_KEY]);
+        if (!empty($_SESSION[self::SESSION_KEY])) {
+            return true;
+        }
+        // Also accept nginx Basic Auth credentials directly (e.g. HTMX fragment
+        // requests that arrive before a PHP session has been established).
+        if (isset($_SERVER['PHP_AUTH_PW']) && self::verifyHash($_SERVER['PHP_AUTH_PW'], $storedHash)) {
+            $_SESSION[self::SESSION_KEY] = true;
+            return true;
+        }
+        return false;
    }

    /**