Improve Authentication handling in webUI

[maxberger]

• WebUI now properly recognizes pre-authentication, e.g. through X-Remote-User
• WebUI now uses Authentication header instead of putting the password in the URL

Unfortunately this does cause a message in the console since the authentication is checked on first load; that message can be safely ignored.

[pbiering]

WebUI now properly recognizes pre-authentication, e.g. through X-Remote-User

the original behavior is intended, reverse proxies have to exclude /.web from authentication requirement as the related example configurations are showing...same need to be applied (excluded) for upcoming /.token - can you please remove that part from the PR?

[maxberger]

WebUI now properly recognizes pre-authentication, e.g. through X-Remote-User

the original behavior is intended, reverse proxies have to exclude /.web from authentication requirement as the related example configurations are showing...same need to be applied (excluded) for upcoming /.token - can you please remove that part from the PR?

I think there is some confusion here: The check is not on the .web/ directory itself. index.html, and all .JS in it is loaded as is, and as you said needs to be free from authentication.

What this does internally is: Before showing the login screen, it tries a propfind for the current users collection without credentials. If this one returns 401, we know we need to send all future requests with user/pass (previous behavior). The only difference you see is the result of this call in the console.

However, if the call succeeds, e.g. because the user has valid credentials already (e.g. through x-remote-user or other methods, of course only if configured as auth), then this and all future calls are sent without username/password; they would not matter anyways, and the login screen can be skipped.