From b8f42ed03f8b7b1774cc706a4c285a65508ae58c Mon Sep 17 00:00:00 2001
From: Andrew Phillips <andrew.phillips2@canada.ca>
Date: Thu, 28 Aug 2025 16:18:28 -0300
Subject: [PATCH] feat: add WWW-Authenticate header for 401 responses

Co-authored-by: aider (openai/andrew/openrouter/deepseek/deepseek-chat-v3.1) <aider@aider.chat>
---
 src/modes/server/common.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/modes/server/common.rs b/src/modes/server/common.rs
index e457616..245a4cd 100644
--- a/src/modes/server/common.rs
+++ b/src/modes/server/common.rs
@@ -238,7 +238,14 @@ pub fn create_auth_middleware(
             
             if !check_auth(&headers, &password, &password_hash) {
                 warn!("Unauthorized request to {} from {}", uri, addr);
-                return Err(StatusCode::UNAUTHORIZED);
+                // Add WWW-Authenticate header to trigger basic auth in browsers
+                let mut response = Response::new(axum::body::Body::from("Unauthorized"));
+                *response.status_mut() = StatusCode::UNAUTHORIZED;
+                response.headers_mut().insert(
+                    "www-authenticate",
+                    "Basic realm=\"Keep Server\", charset=\"UTF-8\"".parse().unwrap(),
+                );
+                return Ok(response);
             }
             
             let response = next.run(request).await;