Unable to download file via ListView or Out-Download about console HOT 8 CLOSED

Ok, I think I managed to replicate the issue on different environments.

Basically I have password protection using basic auth on my site via this module https://github.com/nabehiro/HttpAuthModule

I have parts of the site whitelisted from password protection, including any backend urls, like those beginning with /sitecore or /-/

When I have not entered the basic auth creds in the browser for the front-facing site, I'm able to trigger downloads from the ListView or Out-Download.

However, after I entered the basic auth creds in the same browser but different tab, I get the 404 error when triggering the download. Somehow it seems like there's a 302 redirect to a 404 page..

I realised I missed out this warning from the SPE logs:

A request to the handleDownload service could not be completed because the provided credentials are invalid

Comparing the headers of the errored handler request with the one without error, the one that's doing a 302->404 redirect has an additional 'www-authenticate:' in the response headers and 'authorization' in the request headers from the basic auth creds.

Seems related to #1203?

When I implemented the following code in web.config, the download works whether or not I entered basic auth creds, but this seems kinda nuclear lol.

<location path="-/script/handle">
    <system.webServer>
      <httpProtocol>
        <customHeaders>
          <remove name="www-authenticate:" />
        </customHeaders>
      </httpProtocol>
    </system.webServer>
  </location>

So any ideas on how to fix this?

from console.

As seen in the documentation, most of the services are disabled by defaults. You can enable the handle endpoint if you want to be able to download from the UI provided by SPE.

The error message you pointed out from the log file is the key indicator that the service is disabled.

In short, this is by design and there's nothing to fix but rather configure.

from console.

Read more about it here: https://doc.sitecorepowershell.com/security#configure-web-services

from console.

Hmmm I'm running the code through the SPE ISE though?
Documentation link looks like it's for accessing outside of Sitecore..

Also, I'm able to trigger the Out-Download as long as I do not enter any basic auth creds in my site.
However, when I entered basic auth creds in the same window (hence resulting in the response header having a "www-authenticate:" for the domain), the Out-Download now fails.

from console.

If you are testing this locally you can try the "Shields Down" config to see if everything starts working. Can you tell me the outcome of that?

from console.

Yes, I already have that config in my local and same issue when I entered basic auth creds.

from console.

Ok an update, apparently removing name="www-authenticate:" from web.config did not affect my headers. Had to implement the script workaround in #1203 (comment) instead with extra line req.setRequestHeader("Authorization", ""); below req.open("GET", url, true);, no web.config changes needed.

from console.

This seems like it was handled and, the issue also appears to be stale.

from console.