Excluding certain routes when BASIC_AUTH_FORCE = True

[domkck]

Hi, would you be interested in a patch that adds support for excluding certain routes when BASIC_AUTH_FORCE = True? I want to protect all endpoints with the exception of for example /healthcheck.

[panuhorsmalahti]

Related: exclude certain methods, like OPTIONS, which is required for CORS, but which can't contain Authorization header.

[megahall]

This might help: #14 .

[mdavis-xyz]

#14 resolves the CORS issue, but not the /healthcheck issue.

@domkck did you end up writing that patch?

I assume we just need something like @basic_auth.required, but the opposite.

[mdavis-xyz]

@jpvanhal this repo hasn't been updated in a while. Can you confirm that if I write a PR for this that you'll accept it?

[wvengen]

I'm using the following workaround:

class BasicAuthExceptHealthcheck(BasicAuth):
    def authenticate(self):
        return request.path == "/healthcheck" or super().authenticate()

then use BasicAuthExceptHealthcheck instead of BasicAuth. This works with BASIC_AUTH_FORCE=True, making an exception for /healthcheck to not require auth (all other routes do).