Skip to content

WebSocket (and probably fetch) does not support Authorization header from URL #4744

Description

@domenic

Bug Description

When I create a connection to a WebSocket URL such as ws://foo:bar@localhost:1337/, no Authorization header shows up.

Reproducible By

const { WebSocket } = require("undici");
const { createServer } = require("http");

const server = createServer();
server.on("upgrade", (req) => {
  console.log("Authorization:", req.headers.authorization);
  console.log("Expected:     ", "Basic " + Buffer.from("foo:bar").toString("base64"));
  process.exit();
});

server.listen(0, () => {
  new WebSocket(`ws://foo:bar@localhost:${server.address().port}/`);
});

Expected Behavior

The header should be available.

Web platform test: https://github.com/web-platform-tests/wpt/blob/master/websockets/basic-auth.any.js

Logs & Screenshots

Authorization: undefined
Expected:      Basic Zm9vOmJhcg==

Environment

  • Node v25.2.1
  • undici 7.18.2

Additional context

Claude claims this is caused by

undici/lib/web/fetch/index.js

Lines 1527 to 1534 in 250efc8

// 20. If includeCredentials is true, then:
if (includeCredentials) {
// 1. If the user agent is not configured to block cookies for httpRequest
// (see section 7 of [COOKIES]), then:
// TODO: credentials
// 2. If httpRequest’s header list does not contain `Authorization`, then:
// TODO: credentials
}
, and that seems plausible, although I haven't double-checked that the fetch code is used for the WebSocket connection.

The ws package gets this correct: https://github.com/websockets/ws/blob/ca533a53f338c4a40a3881dd6dff7e5867d06893/lib/websocket.js#L848-L856

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions