How to override Basic Auth mechanism on Public Page or Public API call

Hi Everyone,

I am working on a app to feed contacts data to devices like SIP phones, so far everything is working pretty well.

But I am now trying to add a layer of security using basic auth. Yes, I know basic auth is very insecure, but I have no choice in this, as most SIP devices only support basic auth.

I want to use a custom authentication list/table for these request instead of the user’s credentials, as using the users credentials would stop the feed from functioning ever time the user changed their password.

The problem I have come across is that if I send a request to NC with a basic auth header, NC ends up processing the login, and does not fire my method unless I enter the NC users credentials.

So what are my options to get around this?

A. is there a way to disable the NC authentication process on certain paths?
B. Is there a way to create something like application credentials?
c. Is there any other solution?



I have read your other related post but had no direct clear answer for you. I wanted to verify a few things in the server core.

To get you on the same page, I give you a few guesses by me. These are not checked and not verified. So take them with caution.

  1. The security middleware might be responsible for analyzing the credentials.
  2. You might need to define the page as public
  3. It might be a good idea to define your custom middleware to check the credentials
  4. GitHub, code search or step debugging might be an option to get to the point where the core analyses the credentials.
  5. There are other options, you could have a look at: guest app

Here on the mobile phone, it is hard to inspect code die to the small display. Maybe I can look later into it once I am in front of a full monitor.


Hey @christianlupus ,

So, I’ve already tried most of these, unfortunately.

  1. Not sure if its security middleware, but this definitely something in NC. When I use a Basic Auth that dose NOT match a NC user, the request gets terminated even before the application.php and routes.php get processed. I have confirmed this with xdebug, unfortunately I have not stepped through the entire load process yet.

  2. The method is defined as public.

  1. I have tried creating a middleware class, unfortunately, this also does not get triggered, when I use a Basic Auth that dose NOT match a NC user.
  1. I have looked at the code for most of the relevant apps for NC but it seems no one has tried this before. Yay me. Lol

  2. I had a look at the guest app, yes it uses a custom user backend, BUT, the authentication is still handled through the standard WebUI, and basic auth seems to be handled at a even lower lever since it does not even trigger the application.php or the routes.php which are pretty much the bottom of the stack.

Maybe you can shot the dev guys a message and see what they think?


OK, I will relay your question, no problem.

Haven looked at the guests backend code, you might be able to create also a backend for fake users just for handling the SIP requests. That is not nice IMHO but might work. Let’s see, what the others might bring for an idea…


Thank you, that would be fantastic. I did read through the load process this morning, looks like the auth headers are getting picked off in the main init routine in the server base.php.

And then the login check is performed in the same class,

And I agree, having to create a back end just for this would be a pain.