Allow XMLHttpRequests to prevent password dialogs

When presented a WWW-Authenticate header with "Basic", a browser will
always ask the user for a password, before returning the 401 response to
the web application issuing the XHR in the first place.
Returning a fake authentication method instead seems to be the common
workaround pattern.

CHANGES/+xmlhttp.feature

@@ -0,0 +1,2 @@
+Added a check to the basic auth module to respect the `X-Requested-With: "XMLHttpRequest"` header.
+In return the signature of the `WWW-Authenticate` header is changed so browsers will not pop up a password dialog.

pulpcore/app/authentication.py

@@ -8,14 +8,27 @@
 
 from django.contrib.auth import authenticate
 from django.contrib.auth.backends import RemoteUserBackend
-from rest_framework.authentication import BaseAuthentication, RemoteUserAuthentication
+from rest_framework.authentication import (
+    BaseAuthentication,
+    RemoteUserAuthentication,
+    BasicAuthentication as OrigBasicAuthentication,
+)
 from rest_framework.exceptions import AuthenticationFailed
 
 from pulpcore.app import settings
 
 _logger = logging.getLogger(__name__)
 
 
+class BasicAuthentication(OrigBasicAuthentication):
+    def authenticate_header(self, request):
+        xrw_header = request.headers.get("X-Requested-With")
+
+        if xrw_header is not None and xrw_header.lower() == "xmlhttprequest":
+            return "x" + super().authenticate_header(request)
+        return super().authenticate_header(request)
+
+
 class PulpRemoteUserAuthentication(RemoteUserAuthentication):
     header = settings.REMOTE_USER_ENVIRON_NAME
 

pulpcore/app/settings.py

@@ -164,7 +164,7 @@
     "PAGE_SIZE": 100,
     "DEFAULT_PERMISSION_CLASSES": ("pulpcore.app.access_policy.AccessPolicyFromDB",),
     "DEFAULT_AUTHENTICATION_CLASSES": (
-        "rest_framework.authentication.BasicAuthentication",
+        "pulpcore.app.authentication.BasicAuthentication",
         "rest_framework.authentication.SessionAuthentication",
     ),
     "UPLOADED_FILES_USE_URL": False,