Skip to content

fix: add explicit default auth challenge handling to SessionDelegate#51

Merged
Recouse merged 1 commit into
Recouse:mainfrom
liefran-sim:fix/add-default-auth-challenge-handling
May 14, 2026
Merged

fix: add explicit default auth challenge handling to SessionDelegate#51
Recouse merged 1 commit into
Recouse:mainfrom
liefran-sim:fix/add-default-auth-challenge-handling

Conversation

@liefran-sim
Copy link
Copy Markdown
Contributor

@liefran-sim liefran-sim commented May 11, 2026

Summary

  • Adds urlSession(_:didReceive challenge:completionHandler:) to SessionDelegate with .performDefaultHandling
  • Fixes SSE connections silently failing when going through MITM proxies (mitmproxy, Charles Proxy, etc.)

Closes #50

Problem

When using EventSource through an MITM proxy with a trusted CA certificate installed at the OS level, SSE connections fail silently. The request never reaches the proxy and no error events are emitted.

SessionDelegate implements URLSessionDataDelegate but does not implement the authentication challenge delegate method. While URLSession should fall back to default system trust evaluation, in practice this can cause connections to be silently rejected when a custom delegate is present without explicit challenge handling.

Fix

Add explicit .performDefaultHandling to SessionDelegate:

func urlSession(
    _ session: URLSession,
    didReceive challenge: URLAuthenticationChallenge,
    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
) {
    completionHandler(.performDefaultHandling, nil)
}

This explicitly delegates to the system's default trust evaluation, which correctly respects user-installed CA certificates. This has no effect on normal (non-proxy) connections — it simply makes the default behavior explicit rather than implicit.

@liefran-sim liefran-sim requested a review from Recouse as a code owner May 11, 2026 04:11
@liefran-sim
fix: add explicit default auth challenge handling to SessionDelegate
47b2713 
Without implementing urlSession(_:didReceive challenge:), URLSession
may silently reject server certificates in certain proxy/MITM scenarios
(e.g., mitmproxy, Charles Proxy) even when the CA certificate is
installed and trusted at the OS level.

Adding explicit .performDefaultHandling ensures the system's default
trust evaluation is used, which correctly respects user-installed CA
certificates. This has no effect on normal (non-proxy) connections.
@liefran-sim liefran-sim force-pushed the fix/add-default-auth-challenge-handling branch from f962b84 to 47b2713 Compare May 11, 2026 04:42
Recouse
Recouse approved these changes May 14, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@Recouse Recouse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,
Thanks for the PR!

I’ll accept it, but in the future, it would be good to support custom authentication, similar to the approach used in #47.

@Recouse Recouse merged commit dcdd880 into Recouse:main May 14, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Recouse Recouse Recouse approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SSE connections fail silently through MITM proxies (missing auth challenge delegate)

2 participants

@liefran-sim @Recouse