Allow some paths to bypass password protection

[ericmatthys]

It is difficult to have a fully functional staging environment with password protection enabled, because password protection can interfere with some features. Native deep linking is one that is not possible in our staging environment because password protection on /manifest.json and /.well-known/apple-app-site-association interferes with native mobile apps handling deep links. I've also had issues with cross-origin API route requests. We have two sites deployed from a monorepo and it is not possible for site A to make an API request to site B while password protection is enabled on site B. The CORS preflight ends up blocked. Disabling password protection fixes the issue. Being able to bypass password protection on all /api/* routes would allow the issue to be worked around while keeping password protection enabled.

[leerob]

You can create your own custom password protection with Middleware.

https://github.com/vercel/examples/tree/main/edge-functions/basic-auth-password

[ericmatthys]

Would using middleware in pages mean that every page request is going through a Cloudflare Worker even in the production environment? In other words, there is no way to limit it just to the staging environment and we'd need to add a VERCEL_ENV condition in the middleware to bypass the check in production, changing how production behaves.