I’ve tried both, using Basic-Auth with
_headers and a site-wide password and will elaborate on the problems I’ve noticed with both approaches.
Works fine for the front-end, but all requests to the API, which is available through a proxied api route, will fail while the site is being generated (using Nuxt.js here).
_headers: Works mostly fine but clashes with JWT Auth with the API as the Authorization header is used for both.
The password protection is only necessary for the dev and staging builds, so I’m not sure if roles would help here.
Two “solutions” that’d solve the issue:
- Have a header with a token to bypass the “site-wide password”
- Have a way to exclude routes from basic auth (“all except /api”)